In January 2024, a threat actor named emo released over 15 million email addresses linked to Trello accounts for only $2.32, exploiting an unsecured API.
In January, multiple reports surfaced that a hacker known as ’emo’ was selling profiles of 15,115,516 Trello members on a prominent hacking forum. While most of the data in these profiles were public, each contained a non-public email address associated with the account.
The hacker confirmed to BleepingComputer that the data was collected using an unsecured REST API. This API allowed developers to query public information about a profile based on users’ Trello ID, username, or email address.
Emo compiled a list of 500 million email addresses and fed them into the API to determine their association with Trello accounts. The resultant list was combined with returned account information to create profiles for over 15 million users.
Now, emo dumped all the exfiltered data on the Breached hacking forum for eight site credits, equivalent to $2.32. In a forum post, emo explained, “Trello had an open API endpoint that allows any unauthenticated user to map an email address to a Trello account. I originally intended to use emails from ‘com’ (OGU, RF, Breached, etc.) databases but decided to keep going until I was bored.”

The compromised information includes users’ email addresses and publicly available details from their Trello profiles, including full names. This data breach raises concerns about potential phishing schemes, where attackers could use the stolen information to craft convincing messages to trick users into revealing sensitive data like passwords.
Furthermore, security researchers also suggest that the exposed data might be exploited for doxxing purposes. This could allow malicious actors to connect email addresses with real identities and online aliases, potentially compromising users’ privacy and online personas.
It’s important to note that the full extent and potential misuse of this data are still being assessed.
Poorly protected application programming interfaces (APIs) have emerged as a prime target for cybercriminals. Recently, a security flaw in Twilio’s API resulted in hackers leaking nearly 33 million phone numbers associated with the Authy app.
In the News: TAG-100 cyber espionage campaign hits 11 countries