Atlassian-owned team project management platform Trello had over 15.1 million customer profiles leaked on the Breached hacking forum months after being stolen through an exposed REST API, BleepingComputer reports.
Included in the leaked customer profiles, which have been generated with the combination of a list of 500 million email addresses fed into the API and the returned account details, were users' full names, email addresses, and other public account information, according to threat actor emo, who offered the list for the equivalent of $2.32.
"I originally was only going to feed the endpoint emails from 'com' (OGU, RF, Breached, etc.) databases but I just decided to keep going with emails until I was bored," said emo. Meanwhile, Atlassian said the API has been secured to prevent public information requests from unauthenticated users since the January incident.
"Authenticated users can still request information that is publicly available on another user's profile using this API. This change strikes a balance between preventing misuse of the API while keeping the ‘invite to a public board by email’ feature working for our users," said Atlassian.
