Trello, the platform used by many businesses for organizing to-do lists and coordinating team tasks has recently exposed the personally identifiable information (PII) data of its users. The finding was made by Craig Jones, global cybersecurity operations director at Sophos, who came across the exposed PII while searching Google (aka: “Google Dorks“). There are some tools that are useful for this, including Pentest Tools’ “Google Hacking” tool.
How Did This Happen?
As a user of Trello himself, Craig Jones makes it a habit of reviewing cybersecurity protections in the products he uses. While doing this, he discovered the default configuration of Trello boards is set to “private”, but many users change these setting to “public”. Once set to public, all the information available on a user’s Trello board can be viewed by anyone. These Trello boards can be found using Google’s search engine, which indexes public Trello boards as simple HTML pages, making it simple for anyone to uncover the boards’ content using a specialized google searches.
What Sort of Information Was Exposed?
Craig Jones found a mountain of PII data in public Trello boards, such as names, emails, dates of birth, ID numbers, bank account information. A company’s HR board contained details such as a job offer to a potential employee, including their salary, bonus and contractual obligations. There was even specific information from a housing organization detailing all of the fixes needed in specific areas or homes; including door locks.
Below is an image from Craig Jones, showing PII exposed by a facilities company:
Here is another image, showing PII from a housing company:
I’m a Trello Admin or User – What Should I Do Today?
If you’re a Trello board admin with sensitive information in their systems, go and check the status of your boards and set anything with sensitive or critical data to “private”. If you are a Trello user and know that some of your sensitive data is exposed, one option is to contact the administrator behind the account, or contact Trello directly and ask the board be made private.
Best Practices for Companies with a Proliferation of 3rd party Website Use:
Security experts have long known that Google could turn up interesting content including openly accessible video cameras, baby monitors, and a whole host of other sensitive information. If possible, limit your personal information shared on websites you’re not 100% certain are secure. Even Trello seemed like a reputable brand name website but through misconfigurations, is now being held to account for the ease with which private data is shared to everyone online through google dorking.
Organizations that are working with third-party websites such as Trello, must create a review and approval process for all third-party Internet-based services. Develop and publish a process that enables:
- Employees at your company to request a review and approval process for access to a 3rd party productivity website.
- Research those 3rd party applications to determine their fitness for use.
- Build manual or automatic (preferred) access controls into onboarding and offboarding checklists to ensure only employees who should have access do have access.
- Periodically review the configurations of these services to ensure they aren’t set to “Public”.
By setting up these processes, you will reduce the likelihood of you or your company’s sensitive information from being leaked online.