Trello, a popular online task-management website that organizes to-do lists and coordinates team tasks, has been found exposing a huge trove of private data to the public, according to a report from Naked Security.
While the default setting for Trello boards is set to ‘private’, several users change them to ‘public’, which means that the content posted there can be viewed by anyone.
When a Trello board is made public, a search engine such as Google is efficient at getting the content of that board into its index. This means anyone with a browser, in theory, could see the data, which included names, addresses, performance ratings, and company training videos, simply by using a specialized type of search called a ‘dork’.
Craig Jones, a global cybersecurity operations director at Sophos, has been keeping a watch on the public Trello board for a couple of years now. In fact, he had first tweeted about this in the year 2018.
One of the worst Trello boards I came across, a HR onboarding Trello board, it's been reported and removed now. It had so much PII I nearly ran out of blue… #passwords #infosec pic.twitter.com/ZK3fpeKNpH
— Craig Jones (@albanwr) April 17, 2018
However, the recent data breach of serviced offices and co-working space provider Regus via a public Trello board prompted Craig to investigate it further.
On investigation, he found that a housing company board that explained the fixes in each accommodation, including broken door locks:
Craig also noticed a staff board that appeared to be some type of facilities company, which included names, dates of birth, emails, ID numbers, bank account information, and more:
Moving further, he also found an HR board that describes a specific job offer to someone, including their salary, bonus and contractual obligations:
Besides the above, he also discovered a board relating to an Australian pub that contained information such as bucketloads of Gmail and social media passwords, passwords, and credentials belonging to a global IT household name, API keys, customer fraud.
Craig contacted the companies that he could to notify them that their data is accessible and available to the public. Several of them have already taken down the boards.
According to Craig, most of the time when sensitive boards are set up and made public, they are mostly forgotten to be set back to private. Hence, he believes that it is user’s responsibility to ensure that their data is kept private. Also, he wants search engines like Google and others to stop the indexing of boards.
For me, any benefit in indexing Trello boards is far outweighed by the risk of making it possible to access inadvertently exposed data. While we should all take responsibility for keeping our Trello boards private, I’d love to see Google and others stop the indexing of them in the first place.
What can you do to stay safe? Those who are a Trello user, need to check the status of their boards and set anything with sensitive data in it to “private”.
If you are aware of any exposed data – possibly related to you or a company you have worked at – there are two options to take it down.
The first option is to contact the admin who set up the board. The second option is to contact Trello and ask the board to change the setting to ‘private’.
It is important to note that even after following the above two options, the content remains cached on search engines for some period. Hence, it’s also necessary to ask Google to remove the content from search or send a cache flushing request (which will make Google re-index it, hopefully receiving a 404 from Trello).