Don’t put passwords in Trello – TechCrunch
A brand new little bit of analysis from David Shear at safety agency Flashpoint discovered that there are lots of if not 1000’s of open Trello boards containing passwords, login credentials, and different probably delicate stuff together with worker on-boarding paperwork. He and Brian Krebs reported the boards to Trello though some of us have already been notified by well-meaning hackers who wrote “Change your password” on a few of these public boards.
“One particularly jarring misstep came from someone working for Seceon, a Westford, Mass. cybersecurity firm that touts the ability to detect and stop data breaches in real time,” wrote Krebs. “But until a few weeks ago the Trello page for Seceon featured multiple usernames and passwords, including credentials to log in to the company’s WordPress blog and iPage domain hosting.”
One other Trello board made at Pink Hat in 2017 provided passwords to a pair of on-line check servers.
Trello labored with the pair to take down the general public boards they discovered and is working with Google to take away the cached websites.
“We have put many safeguards in place to make sure that public boards are being created intentionally and have clear language around each privacy setting, as well as persistent visibility settings at the top of each board,” stated a Trello spokesperson.
Missteps like these are sadly widespread. One other wealthy trove of consumer information, Github, has been used to search out non-public passwords for years. Anecdotally, a mission I used to be engaged on suffered a breach when the CTO put a Bitcoin non-public key into some public Github code. Yeah. Precisely.
So, once more, maintain your Trello boards non-public, don’t paste passwords willy-nilly, and preserve at the least a fundamental stage of operational safety by not pasting passwords into any website that would make it public. It’s onerous however undoubtedly well worth the effort.