ATTN Trello Users: Don’t Post Your Passwords on Your Boards

These days, with so many website accounts to keep track of, we turn to applications that can offer us the most convenience in maintaining all our passwords in one place, but dear Trello users: Trello is not a great way to preserve this precious information.

Initiated in 2011, Trello has become a space in which project collaboration with team members is made easy through sharing of boards and lists. However, the site has also become popular for the use of password listing for users, and this comes with consequence, as members of the community are susceptible to password thieves and hackers.

Research from David Shear of Flashpoint–a security firm–found that many users posted login credentials, passwords, and sensitive data on public, or “open” boards. He and Brian Krebs of KrebsOnSecurity alerted Trello of the boards, and some users have already been notified via comment posts like “Change your password” on their boards from other community members.

As Krebs explains on his post:

“One particularly jarring misstep came from someone working for Seceon, a Westford, Mass. cybersecurity firm that touts the ability to detect and stop data breaches in real time. But until a few weeks ago the Trello page for Seceon featured multiple usernames and passwords, including credentials to log in to the company’s WordPress blog and iPagedomain hosting.”

Trello is now working with both Krebs and Shear to purge the site of its public boards with sensitive data, further teaming up with Google to clear the cached sites.

As one Trello spokesperson comments:

“We have put many safeguards in place to make sure that public boards are being created intentionally and have clear language around each privacy setting, as well as persistent visibility settings at the top of each board.”

While Trello can be used for business purposes, it’s safe to say it’s not the best place to store your passwords, especially if there are options to make your boards public. Do yourself a huge favor, and steer clear of pasting passwords on sites/apps that can potentially post your information publicly.

 
For more information from the original article, please click here.