Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Setting the record straight about Trello user profile data

 

JULY 18, 2024 [Update from Atlassian]

This week, the public Trello user profile data obtained by a threat actor via API misuse back in January 2024 was released. As noted in our below January 23, 2024 blog post, we want to reiterate that the threat actor only obtained Trello user profile information that was already publicly available and combined this information with email addresses that the threat actor had obtained from another source.

The security and privacy of our users' data is our highest priority, and given the API misuse uncovered in this investigation, Atlassian promptly took action to prevent this from happening in the future.

What’s Changed

As a core function of the product and enabled by the Trello REST API, Trello users invite members or guests to their public boards by email address.

However with the API changes we enacted in January following this incident, unauthenticated users/services can no longer request another user's public information by email. Authenticated users can still request information that is publicly available on another user's profile using this API.

We believe this change strikes a balance between preventing API misuse while maintaining the ‘invite to a public board by email’ feature for our users. We will continue to monitor the use of the API and take any necessary actions.

 

Hey Trello Community,

 

We are aware of claims made by a threat actor about Trello user profile data. We completed an exhaustive investigation and did not find evidence to support that this data was gathered by unauthorized access. A threat actor, who was in possession of a pre-existing list of email addresses, used those email addresses to lookup public Trello user profiles. The email addresses and the public Trello user profile data were combined to create the final data set.

We want to reassure you that the threat actor only obtained Trello user profile information that was already publicly available and combined this information with email addresses that the threat actor had obtained from another source.

There is no action you need to take related to your Trello account, however, please review your Trello privacy settings to ensure anything in a public field is something you don’t mind being public. To view your public profile, log into Trello and go to trello.com/you.

Moreover, here are some general best practices to keep your account secure:

  • Enable two-factor authentication on your Trello account.

  • Use a strong unique password mixing letter, numbers, and special characters.

  • You can also use a password manager such as LastPass or Bitwarden to generate and manage your account’s password.

We have more details on these practices to increase the protection of your account here: Protect your Atlassian account | Atlassian Support.

If you have additional questions, please reach out to our Trello Support team here.

 

11 comments

Lee Henderson
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
January 24, 2024

The linked profile page link does not work and redirects to the home page. I can understand why it would be disabled now, but please provide complete information on what data about a user was previously available there. This would constitute a fuller disclosure. 

Like Andy Gladstone likes this
Brittany Joiner
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
January 24, 2024

@Lee Henderson are you logged in? You might need to log in and then you can click that. Took me straight to my profile page when I clicked it

Like # people like this
Brittany Joiner
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
January 24, 2024

@Erika Storli thanks for the transparency and update here!

Like # people like this
Awephton January 25, 2024

I received the notice that the Trello board was scaped and the information will be sold. What measurement need to be made? As I trusted it was safe and used Atlassian to further enhance the security, there are a lot of info that could hert my company badly if leaked.

Like Eliane Oliveira likes this
Awephton January 25, 2024

" Trello: In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses. Trello advised that no unauthorised access had occurred.

Compromised data: Email addresses, Names, Usernames"

Like Eric Tolliver likes this
Eliane Oliveira
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
January 25, 2024

Bom Dia.

Entrei agora no meu perfil do Trello e 2 áreas de trabalho da minha conta estão zeradas(sem informações) que eu tinha cadastrado de clientes. Como faço para recuperar?

URGENTE!!

ENTREI DE NOVO NA CONTA E APARECEU TUDO!

Alex W
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 30, 2024

@Awephton - Only information that was already publicly available on your Trello account may have been viewed. To view your public profile, log into Trello and go to https://trello.com/you. The information displayed here is publicly available.

We have more details about what kind of information is available publicly here: https://support.atlassian.com/trello/docs/removing-trello-content-from-google/

Alex W
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
January 30, 2024

@Eliane Oliveira - it sounds like the issue you're facing is not related to this thread. If you're still experiencing an issue, please create a Community question describing the issue you're facing at https://community.atlassian.com/t5/forums/postpage/board-id/trello-questions and our Community will be able to assist you. 

Eric Tolliver
Contributor
July 17, 2024

Now that the hacked information has been publicly released (https://www.bleepingcomputer.com/news/security/email-addresses-of-15-million-trello-users-leaked-on-hacking-forum/) is there going to be a more detailed disclosure so we know what can be done to protect ourselves?

Questions I have:

1. What was the exact date of the breach?

2.  Did the breach include accounts closed before that date (including free trial accounts that Atlassian closed)?

3. Can you identify what fields Atlassian disclosed?  People who closed their accounts can no longer see what fields were made public.

 

benjlai
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
July 24, 2024

Atlassian’s response so far has been extremely disappointing. I only found out via an alert from Equifax today informing me that my Trello details have been disclosed on the Dark Web. Instead of sending out emails to your 15M customers and alerting them of the breach on the 18th of July, you placed it on a web page which has been viewed 9K times, (0.06%).

Data breaches will happen and once they occur, they are out of your control, but how you respond to them is just as important. Right now, you are failing the most basic due diligence by not informing your customer base directly and giving your own customers the opportunity to update their passwords and enhance their security via 2FA to help protect their data

Like KoBo likes this
Brittany Joiner
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
July 24, 2024

@benjlai I don’t work for Trello but you can set up 2FA on your account, should see it on your account settings. 

also if I’m understanding correctly the impact was data leaked that was already public

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events