JULY 18, 2024 [Update from Atlassian]
This week, the public Trello user profile data obtained by a threat actor via API misuse back in January 2024 was released. As noted in our below January 23, 2024 blog post, we want to reiterate that the threat actor only obtained Trello user profile information that was already publicly available and combined this information with email addresses that the threat actor had obtained from another source.
The security and privacy of our users' data is our highest priority, and given the API misuse uncovered in this investigation, Atlassian promptly took action to prevent this from happening in the future.
What’s Changed
As a core function of the product and enabled by the Trello REST API, Trello users invite members or guests to their public boards by email address.
However with the API changes we enacted in January following this incident, unauthenticated users/services can no longer request another user's public information by email. Authenticated users can still request information that is publicly available on another user's profile using this API.
We believe this change strikes a balance between preventing API misuse while maintaining the ‘invite to a public board by email’ feature for our users. We will continue to monitor the use of the API and take any necessary actions.
Hey Trello Community,
We are aware of claims made by a threat actor about Trello user profile data. We completed an exhaustive investigation and did not find evidence to support that this data was gathered by unauthorized access. A threat actor, who was in possession of a pre-existing list of email addresses, used those email addresses to lookup public Trello user profiles. The email addresses and the public Trello user profile data were combined to create the final data set.
We want to reassure you that the threat actor only obtained Trello user profile information that was already publicly available and combined this information with email addresses that the threat actor had obtained from another source.
There is no action you need to take related to your Trello account, however, please review your Trello privacy settings to ensure anything in a public field is something you don’t mind being public. To view your public profile, log into Trello and go to trello.com/you.
Moreover, here are some general best practices to keep your account secure:
Enable two-factor authentication on your Trello account.
Use a strong unique password mixing letter, numbers, and special characters.
You can also use a password manager such as LastPass or Bitwarden to generate and manage your account’s password.
We have more details on these practices to increase the protection of your account here: Protect your Atlassian account | Atlassian Support.
If you have additional questions, please reach out to our Trello Support team here.
Erika Storli
Senior Product Marketing Manager, Trello
2 accepted answers
11 comments