SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Trello data breach exposes 15 million users' details on Dark Web
Sun, 28th Jan 2024

Popular project management platform, Trello, has experienced a data breach exposing 15 million users' personal details. The confidential information, including names and emails, has reportedly been collected and is now being sold on the Dark Web. Atlassian, Trello's parent firm, claims it's taken significant steps to prevent such scraping attacks from recurring, by adjusting the primary API. However, some experts suggest Atlassian might be downplaying its role in the incident.

This security breach saw unauthorised data scraping and extraction from 15 million Trello profiles, sparking severe concerns about user privacy and data protection. The incident, exposing vulnerabilities in Atlassian's API, has underscored the crucial need for more robust security around application programming interfaces to forestall unlawful access.

In the wake of the breach, Atlassian has swiftly implemented measures to reinforce its API security, targeting the vulnerabilities which the attacker exploited. An Atlassian spokesperson reassured that there was 'no unauthorised access to internal Trello systems.' The firm is proactively informing users about the situation while admitting the necessity for more accurate API configuration.

Richard Bird, Chief Security Officer at Traceable AI, commented on Atlassian's response: "Atlassian's reaction to the recent successful Trello scraping attack is a further confirmation that we've officially entered the gaslighting era of cybersecurity. Companies seem to prefer blaming or minimising the impact on victims as their chosen approach to their conspicuous failure in responsibly managing their customers' data."

Bird continued: "Atlassian clearly knew that the exposed API was a problem, rectified it and then essentially told the customers - no big deal, your data wasn't that important anyway. If the data had no value, why did the hackers want it in the first place? Atlassian's suggestion that cyber thieves would waste their time 'just for fun' is absurd and offensive to customers who placed their trust in them."

He further lambasted: "In 2024, allowing a bad actor to be successful with such rudimentary business logic manipulation of an API is unimaginable. This was not a sophisticated attack; it was akin to a crook jiggling door handles to see who left their car doors unlocked. If Trello allowed such an API weakness to manifest within their system, how can we be assured that there aren't other just as poorly constructed and monitored APIs currently being exploited?"

The incident with Trello has led to significant discussions around the ongoing importance of cybersecurity, with this event serving as a reminder for companies to treat their APIs as valuable assets, requiring the same level of due diligence as other components of their digital infrastructure.