Trello exposed! Search turns up huge trove of private data – Naked Security

Hands up who’s used the increasingly popular online collaboration platform Trello?

Trello is great for organising to-do lists and for coordinating team tasks.

But it has its downsides too. While the default for Trello boards is set to ‘private’, many users set them to ‘public’ which means that anyone can see what’s posted there.

Not only that, search engines such as Google index public Trello boards, making it simple for anyone to uncover the boards’ contents using a specialised type of search called a ‘dork’.

And it’s surprising how much sensitive data there is.

Our global cybersecurity operations director at Sophos, Craig Jones, has been keeping an eye on this for a couple of years, first tweeting about it in 2018.

When news broke last week about office space company Regus exposing the performance ratings of hundreds of its staff via a public Trello board, Craig thought he’d take another look at what’s out there.

An enthusiastic Trello user himself, Craig quickly found a trove of highly sensitive data sprayed out by sizeable numbers of public Trello boards.

He found a board from a housing company detailing the fixes needed in each accommodation, including broken door locks:

Craig also discovered a staff board for what appears to be some sort of facilities company that listed names, emails, dates of birth, ID numbers, bank account information, and more:

And then there’s an HR board that details a specific job offer to someone, including their salary, bonus and contractual obligations:

There’s more.

He found a board relating to an Australian pub which included details of customer fraud, bucketloads of gmail and social media passwords, and API keys, passwords and credentials belonging to a global IT household name.

Craig has contacted the companies where he can, to inform them their data is publicly accessible. Many have taken down the boards already.