Whether you're a big team of colleagues or just an individual looking to stay on top of things, Trello is a fantastic tool to organise your life. Unfortunately, it is apparently a great target for hackers.
The organization tool was reportedly was the target of a cyber attack back in January that saw one hacker under the name "emo" get their hands on the Trello account information and full names of some 15 million users.
Six months later, that information has now appeared on sale on Telegram for a rather humble fee, with BleepingComputer estimating its cost as just $2.32. This means that, if the hack is real, Trello users may now face widespread distribution of their details.
How was Trello attacked?
Interestingly, the perpetrator of the attack has delivered a Bond-villain-style monologue explaining how they pulled it off, meaning there is no mystery about this alleged cyber attack.
"Trello had an open API endpoint that allows any unauthenticated user to map an email address to a Trello account," explained emo "I originally was only going to feed the endpoint emails from 'com' (OGU, RF, Breached, etc.) databases but I just decided to keep going with emails until I was bored."
Trello itself originally denied that any breach took place but in a recent statement confirmed that "Given the misuse of the API uncovered in this January 2024 investigation, we made a change to it so that unauthenticated users/services cannot request another user's public information by email."
Next steps for Trello users
If you're a Trello user, you should be concerned about your data potentially falling into the hands of scammers. Yes, it's not credit card or banking information but even generic account information and your full name being leaked can cause you trouble.
Pieces of information like this can be put together by threat actors to cause greater damage in what's called a correlation attack. But what can you do the protect yourself?
Well, the first step should be to change your password on Trello, and anywhere else you use that same password. Two-factor authentication may be a pain, but it's a much more secure way to protect your accounts.
If your information has been compromised, then watch out for an increased amount of spam emails and phishing scam attempts. Additionally, never download a suspicious-looking document or click on a link from an untrusted email. If this sounds stressful, luckily one of the best VPNs could be the answer. Using NordVPN's Threat Protection Pro is a great way to combat phishing scams as it automatically detects and deals with them for you.
Of course what's even better than dealing with spam automatically is never receiving it, and if you use Surfshark's Alternative ID feature you can forego having to use your real email and details to make a Trello (or other) account.
