{"id":18258,"date":"2021-04-22T21:44:24","date_gmt":"2021-04-22T17:44:24","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/trello-data-leaks\/18258\/"},"modified":"2021-04-22T21:44:41","modified_gmt":"2021-04-22T17:44:41","slug":"trello-data-leaks","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/trello-data-leaks\/18258\/","title":{"rendered":"Trello data leak"},"content":{"rendered":"

Data belonging to users from hundreds of large and thousands of small companies has been leaked from Trello, according to some media reports<\/a>. It was not a leak in the normal sense of the word; the companies had been using Trello for years without bothering to configure the privacy settings properly, and the current fuss is about some researchers making that information public.<\/p>\n

In truth, reports of another company storing important data openly in Trello make the news every couple of years. Researcher Kushagra Pathak attempted to highlight the issue<\/a> on Medium three years ago. Unfortunately, such warnings tend to have only a brief effect.<\/p>\n

What got leaked, and why<\/h2>\n

Trello members use boards to collaborate on projects. The boards are private \u2014 not viewable by anyone outside of the team \u2014 by default, but when users need to show a board to anyone not on the team, they set the board\u2019s visibility to public<\/em>. At that point, any user can open the board with a direct link, and search engines can index the information on it. Access to each board is configured separately.<\/p>\n

An appropriately formed search query can uncover lots of public boards belonging to various companies. Among them lurk website credentials, document scans, and confidential business discussions, which various researchers have been finding and publishing.<\/p>\n

Unauthorized access to your company\u2019s Trello workspace can spell trouble even if you do not keep any confidential documents or passwords there. Attackers can use business information to make their social engineering attacks more persuasive, for example, by initiating correspondence with an employee and quieting their vigilance by mentioning details from current projects.<\/p>\n

Configuring Trello to keep information private<\/h2>\n

By changing just two settings, you can stop search engines from indexing data in your Trello workspace. The less important one is workspace visibility; more important, each board\u2019s visibility.<\/p>\n

Workspaces have two visibility settings: private and public. The choice is clear.<\/p>\n

\"Trello<\/a><\/p>\n

Boards allow more options: private (only board members have access), workspace (all workspace members have access), organization (all employees have access \u2014 this is for business accounts only), and public (everyone has access). The current Trello interface provides a clear enough description of visibility options, which suggest Web crawlers have access to public boards only, so any other option but public would have prevented the so-called leakage.<\/p>\n

\"Trello<\/a><\/p>\n

We believe work-related information should be restricted to a minimum of employees, and therefore, using a private option is always better. It\u2019s a bit more work \u2014 someone will have to manage who has access to each board \u2014 but it helps ensure information integrity.<\/p>\n

Ensuring secure collaboration<\/h2>\n

Configuring your Trello boards for appropriate visibility will prevent the information from going public. Consider these other important measures as well:<\/p>\n