Millions of email accounts associated with Trello, an online project management tool. | Photo Credit: Reuters
Millions of email accounts associated with Trello, an online project management tool, have been found for sale on a hacking forum.
Threat actors released 15 million email addresses, which were collected using an unsecured API, a report from Bleeping Computer said.
While almost all of the data in these profiles is public information, each profile also contained non-public email addresses associated with the account.
Atlassian, Trello’s parent company, shared that the data was stolen using an unsecured REST API that allowed developers to query for public information about a profile based on the users’ Trello ID, username, or email address.
(For top technology news of the day, subscribe to our tech newsletter Today’s Cache)
Unsecured APIs are a common way for threat actors to access data, which is then used to combine non-public information of an individual with their public information, posing security and privacy risks.
The data compromised in the leak can be used for targeted phishing attacks to steal more sensitive information, such as passwords. Additionally, threat actors may also use the data for doxing, allowing them to link addresses to people and their aliases.