A hacker calling himself “Emo” claims to have stolen sensitive data from the popular project management tool Trello.
According to the hacker, around 21 gigabytes of data were stolen, including more than 15 million unique email addresses. The attacker claims to have exploited an unprotected Trello API interface that made it possible to link email addresses to Trello accounts without authentication.
The hacker boasted in a post on an illegal marketplace that the data was “very useful for doxxing” as personal emails could be linked to full names and usernames. The data should also contain profile URLs and other information. Doxxing is the collection and publication of private or identifying information of a person or organization on the Internet.
Procedure and motivation
The alleged break-in is said to have taken place on January 16, 2024. First, the hacker used already known data leaks to match emails with Trello accounts. He later expanded the attack and collected more email addresses until, as he himself says, he was “bored”. Interestingly, the data was published free of charge after the hacker had previously tried to sell it.
Trello’s reaction
Trello said in a statement that it was aware of the hacker’s claims. After a thorough investigation, however, no evidence of unauthorized access was found. The company assumes that the attacker tested an existing list of email addresses against publicly accessible Trello user profiles.