"Atlassian Tightens API After Hacker Scrapes 15M Trello Profiles"

Millions of names, usernames, and emails associated with public Trello boards have been made available for sale on the dark web, potentially leading to Account Takeover (ATO) and spear-phishing attacks. Atlassian, Trello's parent company, now says it has made changes to a critical Application Programming Interface (API) to prevent scraping attacks. Trello, a project management and collaboration platform, allows users to make their "boards" or workspaces publicly findable, facilitating collaboration between different companies and stakeholders. A board administrator can invite others to participate on their public boards via email, and a REST API enables this feature. A cyberattacker known as "emo" was able to manipulate this API in a business logic attack, so that if someone queried the API with an email address, it would return the public profiles of any boards associated with that email. Therefore, emo was able to scrape publicly available data on 15 million Trello profiles. This article continues to discuss Atlassian's response to a hacker scraping millions of Trello profiles.

Dark Reading reports "Atlassian Tightens API After Hacker Scrapes 15M Trello Profiles"

Submitted by grigby1