Scraped data of 15 million Trello users for sale on the dark web

Data from over 15 million Trello users was scraped and offered for sale on a dark web hacker forum. The data set includes:

• emails,
• usernames,
• full names,
• other account information

but does not contain passwords.

Trello's parent company, Atlassian, confirmed that there was no unauthorized access to Trello’s systems, indicating that the data was likely obtained by exploiting a publicly accessible resource on Trello, using email addresses from previous breaches. The list veracity was also confirmed by Have I Been Pwned, which noted that the data was already in HaveIBeenPwned from previous leaks.

While the data does not include passwords, it raises concerns about potential targeted phishing and brute-force password attacks, especially for users who reuse email and password combinations across different services. Users who haven't enabled two-factor authentication are at a higher risk of account hijacking.

Users are advised to check their email addresses against known data breaches and to remain vigilant against potential misuse of their scraped data.

Update - as of 15th of July 2024, the user under the alias "emo" posted the entire list of 15,115,516 profiles on the Breached hacking forum. They explained that "Trello had an open API endpoint that allows any unauthenticated user to map an email address to a trello account,"

The leaked data includes email addresses and public Trello account information, including the user's full name.