The Target: Trello is an online project management tool owned by Atlassian. Businesses commonly use it to organize data and tasks into boards, cards, and lists.
The Take: The leaked data includes email addresses and public Trello account information, including the user's full name.
The Vector: While Atlassian, the owner of Trello, did not confirm at the time how the data was stolen, emo (the threat actor) said it was collected using an unsecured REST API that allowed developers to query for public information about a profile based on users' Trello ID, username, or email address.
As phishing actors continue to explore every potential abuse opportunity on legitimate service providers, novel security gaps constantly threaten to expose users to severe risks. It is essential not to rely solely on email protection solutions, and also scrutinize every email that lands on your inbox, look for inconsistencies, and double-check all claims made in those messages.