A friendly reminder: Don’t put passwords in Trello

A new bit of research from David Shear at security firm Flashpoint found that there are hundreds if not thousands of open Trello boards containing passwords, login credentials, and other potentially sensitive stuff including employee on-boarding documents. He and Brian Krebs reported the boards to Trello although some folks have already been notified by well-meaning hackers who wrote “Change your password” on some of these public boards.

“One particularly jarring misstep came from someone working for Seceon, a Westford, Mass. cybersecurity firm that touts the ability to detect and stop data breaches in real time,” wrote Krebs. “But until a few weeks ago the Trello page for Seceon featured multiple usernames and passwords, including credentials to log in to the company’s WordPress blog and iPage domain hosting.”

Another Trello board made at Red Hat in 2017 offered passwords to a pair of online test servers.

Trello worked with the pair to take down the public boards they found and is working with Google to remove the cached sites.

“We have put many safeguards in place to make sure that public boards are being created intentionally and have clear language around each privacy setting, as well as persistent visibility settings at the top of each board,” said a Trello spokesperson.

Missteps like these are sadly common. Another rich trove of user data, Github, has been used to find private passwords for years. Anecdotally, a project I was working on suffered a breach when the CTO put a Bitcoin private key into some public Github code. Yeah. Exactly.

So, again, keep your Trello boards private, don’t paste passwords willy-nilly, and maintain at least a basic level of operational security by not pasting passwords into any site that could make it public. It’s hard but definitely worth the effort.