INSUBCONTINENT EXCLUSIVE:
A new bit of research from David Shear at security firm Flashpoint found that there are hundreds if not thousands of open Trello boards
containing passwords, login credentials, and other potentially sensitive stuff including employee on-boarding documents
He and Brian Krebs reported the boards to Trello although some folks have already been notified by well-meaning hackers who wrote “Change
your password” on some of these public boards.“One particularly jarring misstep came from someone working for Seceon, a Westford, Mass
cybersecurity firm that touts the ability to detect and stop data breaches in real time,” wrote Krebs
“But until a few weeks ago the Trello page for Seceon featured multiple usernames and passwords, including credentials to log in to the
company’s WordPress blog and iPage domain hosting.”Another Trello board made at Red Hat in 2017 offered passwords to a pair of online
test servers.Trello worked with the pair to take down the public boards they found and is working with Google to remove the cached
sites.“We have put many safeguards in place to make sure that public boards are being created intentionally and have clear language around
each privacy setting, as well as persistent visibility settings at the top of each board,” said a Trello spokesperson.Missteps like these
Another rich trove of user data, Github, has been used to find private passwords for years
Anecdotally, a project I was working on suffered a breach when the CTO put a Bitcoin private key into some public Github code
Exactly.So, again, keep your Trello boards private, don’t paste passwords willy-nilly, and maintain at least a basic level of operational
security by not pasting passwords into any site that could make it public
It’s hard but definitely worth the effort.
