Man
Professional
- Messages
- 3,085
- Reaction score
- 623
- Points
- 113
People, without knowing it, leak their passport data, passwords and bank cards directly into the hands of hackers. We show you with real examples!
Salute to all, dear friends!
Today I would like to touch on a very important topic, namely, to analyze how your passport data, passwords and other things of interest to hackers ended up/could end up on the Internet.
Our "hero" today is the online project manager Trello, whose public task boards are indexed by search engines and contain an incredible amount of confidential information.
I have deliberately blurred some of the data.
Do you think the example above is an isolated case? No way! Another 20 seconds of my time and I see this:
Well, now a little more detail... Trello has 3 levels of board privacy: private, team and public. Public boards are available via a link, but, unlike, say, YouTube videos available via a link, these boards are indexed by search engines , which is clearly stated in the description on the site. But who cares about that...
The story of public Trello boards first came up a few years ago. A couple dozen articles were published that said that you shouldn't post sensitive data on public Trello boards, but as usual, everything was discussed and forgotten .
In the first place in the search results we come across the now closed board “SMM for Nina”, on which just a couple of days ago one could find logins and passwords from all the pages of the Cypriot photographer Nina Koroleva, in particular, from the page https://www.instagram.com/otkrovenno_nina/.
We sincerely hope that Nina changed all logins and passwords, as all of them have been appearing on the first pages of Google search results for many weeks.
But Nina, or rather her SMM specialists, are just the tip of the iceberg.
Just think about it: a simple query for password when searching the Trello website gives us more than 9 thousand results.
Trello reveals the pressing problems of small and medium businesses. For example, this board assigns someone responsible for compiling a list of sex shops for a BDSM hotel.
An analysis of the content posted in Trello shows that a significant portion of public boards belong to SMM specialists and marketers. But does this mean that they are the main cause of unintentional information leaks? Of course not.
Passwords are just lying around in projects. A variety of projects, from marketing to development.
In fact, this list can be continued indefinitely. You just enter in the search site:https://trello.com/b/and enjoy the result.
An example of a public card of a company that provides its clients with assistance in participating in tenders.
The list goes on and on. Trello has boards created by employees of government agencies and state corporations.
Naturally, this is a completely unhealthy situation both from the point of view of corporate security and from the point of view of handling the personal data of clients and employees.
Information posted in the public domain can be used in dozens of different criminal schemes: from banal hacking of corporate Instagram accounts (a wave of such hacks, by the way, swept through last fall) to sociotechnical attacks on organizations and their clients.
It would be foolish to assume that this information will not fall into the hands of, or has not already fallen into the hands of, criminals. In Trello, it is quite convenient to search for the necessary data manually, but if desired, this process can be easily automated.
Perhaps I am writing things that are obvious to our readers, but practice shows that they are far from obvious to everyone. Well, to finish my story in a positive way, I have prepared a small selection of interesting artifacts found in the process of analyzing Trello data.
The tasks of "buy instant noodles" and "fix a mop" are here adjacent to learning how to use a strap-on. A purely pragmatic approach.
But Trello is not just a business story, among the open boards you can find hundreds of pages of people who make plans for the future and discuss the details of their personal lives, sharing them with the entire Internet. Here you can find everything: plans for seducing classmates, a schedule for realizing sexual fantasies, and 10 steps to losing weight for the beach season. We will not publish links or screenshots of such boards and invade privacy.
I want to point out the fact that I have given the most harmless things as examples. In the process of analyzing Trello, I came across something that I simply would not risk publishing, so as not to jeopardize specific organizations. And all of this continues to lie openly on the Internet.
Salute to all, dear friends!
Today I would like to touch on a very important topic, namely, to analyze how your passport data, passwords and other things of interest to hackers ended up/could end up on the Internet.
- I'm not one to chat, so this article will be practical !
Our "hero" today is the online project manager Trello, whose public task boards are indexed by search engines and contain an incredible amount of confidential information.
Well, shall we begin the hunt?
- To start, here's a classic example of what you can find on public Trello boards if you spend 20 seconds of your time:
I have deliberately blurred some of the data.
Do you think the example above is an isolated case? No way! Another 20 seconds of my time and I see this:
Well, now a little more detail... Trello has 3 levels of board privacy: private, team and public. Public boards are available via a link, but, unlike, say, YouTube videos available via a link, these boards are indexed by search engines , which is clearly stated in the description on the site. But who cares about that...
The story of public Trello boards first came up a few years ago. A couple dozen articles were published that said that you shouldn't post sensitive data on public Trello boards, but as usual, everything was discussed and forgotten .
- Let's see what Google gives us for this request:пароль site:https://trello.com/b/
In the first place in the search results we come across the now closed board “SMM for Nina”, on which just a couple of days ago one could find logins and passwords from all the pages of the Cypriot photographer Nina Koroleva, in particular, from the page https://www.instagram.com/otkrovenno_nina/.
We sincerely hope that Nina changed all logins and passwords, as all of them have been appearing on the first pages of Google search results for many weeks.
But Nina, or rather her SMM specialists, are just the tip of the iceberg.
Just think about it: a simple query for password when searching the Trello website gives us more than 9 thousand results.
- Want Roblox passwords? Please:
- Want passwords for Instagram and other services? Thousands of them!
Trello reveals the pressing problems of small and medium businesses. For example, this board assigns someone responsible for compiling a list of sex shops for a BDSM hotel.
An analysis of the content posted in Trello shows that a significant portion of public boards belong to SMM specialists and marketers. But does this mean that they are the main cause of unintentional information leaks? Of course not.
Passwords are just lying around in projects. A variety of projects, from marketing to development.
- Here, for example, are the passwords of one individual entrepreneur for access to the remote banking system of 6 banks at once:
- Here is a calculation of the salary costs of one regional medical center:
In fact, this list can be continued indefinitely. You just enter in the search site:https://trello.com/b/and enjoy the result.
An example of a public card of a company that provides its clients with assistance in participating in tenders.
The list goes on and on. Trello has boards created by employees of government agencies and state corporations.
Naturally, this is a completely unhealthy situation both from the point of view of corporate security and from the point of view of handling the personal data of clients and employees.
Information posted in the public domain can be used in dozens of different criminal schemes: from banal hacking of corporate Instagram accounts (a wave of such hacks, by the way, swept through last fall) to sociotechnical attacks on organizations and their clients.
It would be foolish to assume that this information will not fall into the hands of, or has not already fallen into the hands of, criminals. In Trello, it is quite convenient to search for the necessary data manually, but if desired, this process can be easily automated.
Perhaps I am writing things that are obvious to our readers, but practice shows that they are far from obvious to everyone. Well, to finish my story in a positive way, I have prepared a small selection of interesting artifacts found in the process of analyzing Trello data.
- Let's start, perhaps, with the "Russian brides" boards that rip off gullible foreigners. The boards are quite old, but they give an excellent idea of how this criminal business works:
- Trello really does take teamwork to the next level—now you can work together as a team to divorce unhappy grooms.
- Okay, we've dealt with the fake brides, now Trello will reveal to us the seamy side of the webcam industry:
The tasks of "buy instant noodles" and "fix a mop" are here adjacent to learning how to use a strap-on. A purely pragmatic approach.
- The BDSM hotel we already know does not hesitate to show the whole world its internal documentation and about a hundred passwords for all conceivable accounts:
But Trello is not just a business story, among the open boards you can find hundreds of pages of people who make plans for the future and discuss the details of their personal lives, sharing them with the entire Internet. Here you can find everything: plans for seducing classmates, a schedule for realizing sexual fantasies, and 10 steps to losing weight for the beach season. We will not publish links or screenshots of such boards and invade privacy.
- Here, for example, is Georgy from Kazakhstan, who set himself some very non-trivial goals for 2021:
What is the point of all this text?
You can flaunt your personal life as much as you want, but when you use a public service like Trello, be prepared for your sensitive data to end up in the hands of bad guys.I want to point out the fact that I have given the most harmless things as examples. In the process of analyzing Trello, I came across something that I simply would not risk publishing, so as not to jeopardize specific organizations. And all of this continues to lie openly on the Internet.
