Probably legal reasons. Usually doesn’t make business sense to declare and publicly announce a breach until you do some internal investigating to understand the scope/impact (not defending them, it’s just reality.. also their cyber insurance company would get pissed if they did anything without their approval during a possible breach, things take time)

Probably also some internal debate whether this should be considered a breach or not and whether it’s worth the cost of announcing it vs. the risk of not announcing it

There are legal (GDPR, Art. 34) requirements to publish a breach if it hits EU citizens and the bar for publication is met.

This is true, but as the parent mentioned you also need to understand the nature of the breach first. Giving people accurate information is as important as giving them timely information.

I think it's important to be clear that this isn't some small startup. Trello is Atlassian

I just found out that I have different passwords for Trello and for Atlassian.

Whatever.

FTA: "Trello advised that no unauthorised access had occurred."

So they may not feel they need to say anything.

From what I can tell, you can get all the info mentioned just by putting an email into the invite popup. So this isn't a leak in that sense. Everything works as intended.

Because it wasn’t a breach, the title is misleading. It was just credential stuffing.