Data leaked from public boards in Trello

Data belonging to users from hundreds of large and thousands of small companies has been leaked from Trello, according to some media reports. It was not a leak in the normal sense of the word; the companies had been using Trello for years without bothering to configure the privacy settings properly, and the current fuss is about some researchers making that information public.

In truth, reports of another company storing important data openly in Trello make the news every couple of years. Researcher Kushagra Pathak attempted to highlight the issue on Medium three years ago. Unfortunately, such warnings tend to have only a brief effect.

What got leaked, and why

Trello members use boards to collaborate on projects. The boards are private — not viewable by anyone outside of the team — by default, but when users need to show a board to anyone not on the team, they set the board’s visibility to public. At that point, any user can open the board with a direct link, and search engines can index the information on it. Access to each board is configured separately.

An appropriately formed search query can uncover lots of public boards belonging to various companies. Among them lurk website credentials, document scans, and confidential business discussions, which various researchers have been finding and publishing.

Unauthorized access to your company’s Trello workspace can spell trouble even if you do not keep any confidential documents or passwords there. Attackers can use business information to make their social engineering attacks more persuasive, for example, by initiating correspondence with an employee and quieting their vigilance by mentioning details from current projects.

Configuring Trello to keep information private

By changing just two settings, you can stop search engines from indexing data in your Trello workspace. The less important one is workspace visibility; more important, each board’s visibility.

Workspaces have two visibility settings: private and public. The choice is clear.

Trello workspace visibility settings

Boards allow more options: private (only board members have access), workspace (all workspace members have access), organization (all employees have access — this is for business accounts only), and public (everyone has access). The current Trello interface provides a clear enough description of visibility options, which suggest Web crawlers have access to public boards only, so any other option but public would have prevented the so-called leakage.

Trello board visibility settings

We believe work-related information should be restricted to a minimum of employees, and therefore, using a private option is always better. It’s a bit more work — someone will have to manage who has access to each board — but it helps ensure information integrity.

Ensuring secure collaboration

Configuring your Trello boards for appropriate visibility will prevent the information from going public. Consider these other important measures as well:

  • Carefully manage the list of users who have access to your Trello workspace and each board. If anyone leaves the project, the team, or the entire company, revoke their access right away;
  • Educate employees about the importance of using strong passwords, and recommend they activate Trello’s two-factor authentication option;
  • Ensure that every employee responsible for information security knows which online collaboration tools all employees use and what information they store in those tools and services. That information is required for assessing risks and creating a threat model;
  • Install a security solution on every computer, bearing in mind that any collaboration tool can be turned into a channel for spreading cyberthreats (malicious files or links).