Readit News logoReadit News
Posted by u/sergiomattei 2 years ago
Tell HN: Trello Hacked?
Just got a notification from Have I Been Pwned about a credentials breach at Trello. Any news on this?

> In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses. Trello advised that no unauthorised access had occurred.

rshaban · 2 years ago
Yes, surprisingly, there is no other news source that I've found as yet. Worth noting, in the email from HIBP, they include the following full information: "Breach: Trello Date of breach: 16 Jan 2024 Number of accounts: 15,111,945 Compromised data: Email addresses, Names, Usernames Description: In January 2024, data was scraped from Trello and posted for sale on a popular hacking forum. Containing over 15M email addresses, names and usernames, the data was obtained by enumerating a publicly accessible resource using email addresses from previous breach corpuses. Trello advised that no unauthorised access had occurred."
rozenmd · 2 years ago
> scraped from Trello

they'll argue it isn't a hack then, intentionally public endpoint

sidmitra · 2 years ago
I don't know about Trello, but i understand why B2B SaaS have this problem. The main issue is the ability to support various authentication systems, protocols, eg. Okta SSO, Google, Password, Mobile apps, Custom SAML and dozens of other enterprise-y stuff.

To be able to support that most apps do it as first step is ask for an email to be able to redirect them to the right flow. So the problem is bootstrapping how does a user confirm it's him before he can login to the right system.

Most B2B apps are forced to deal with this because there's no one protocol here, and different paying customers have different internal systems. Asking the user to choose from a dropdown of 20+ paths is proving to be impossible of the extremely high customer support costs.

It's a cycle of misery

charcircuit · 2 years ago
The news is in that message. There was a way to get a trello account from an email and trello accounts have a public profile that show a display name and username.

I think the email was misleading saying that your trello was pwned.

mergy · 2 years ago
Interesting. If there is a larger disclosure on Atlassian, that would be a major issue.
zagfai · 2 years ago
It makes my hard to trust Internet now, although enterprise service.