Trello data exposed

If you are a user of the poular task management service Trello, you should take a few minutes to check you privacy settings.

Although the default option for new boards is ‘Private’, security researchers have discovered many boards that have been set to ‘Public’ by the board owners, either in error or because they misunderstood the implications of changing the settings. To make matters worse, search engines like Google are indexing the data making it very easy to access sensitive information.

Here are some examples of data that has been made publicly available on Trello that was discovered by one security researcher:

  • A staff board for a facilities company that listed names, emails, dates of birth, ID numbers, bank account information, and more.
  • An HR board that details a specific job offer to someone, including their salary, bonus and contractual obligations.
  • A board relating to a pub which included details of customer fraud, Gmail and social media passwords and passwords and credentials belonging to a global IT household name.

So if you are a Trello user, check the status of your boards and set anything with sensitive data in it to “private” or contact the board owner.