← Productivity
D

Trello

Serious concerns
Atlassian · 🇦🇺 Australia
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: Trello
Manufacturer: Atlassian

The bottom line

15 million Trello users' email addresses exposed through an unsecured API. Separately, thousands of "public" Trello boards containing passwords, API keys, and confidential business plans are indexed by Google. People don't realise "public" means "on the internet." Their project board with database credentials is one Google search away. Passwords. API keys. Database credentials. Business strategies. All sitting on public Trello boards, indexed by Google. The UN. UK government agencies. Major corporations. Years of sensitive data, one Google search away, because Trello defaulted to "Public" and nobody checked.

Legal jurisdiction
🇦🇺 Australia (headquarters)
Assistance and Access Act read more →
Govt can force companies to build backdoors in encryption — and gag them from telling you
Metadata Retention read more →
ISPs and telcos must store 2 years of your connection data for law enforcement
🇺🇸 United States (data storage)
CLOUD Act read more →
US govt can demand your data from this company even if stored overseas
FISA §702 / PRISM read more →
NSA collects stored emails, photos, messages without individual warrants
Geofence warrants read more →
Police can demand location data for everyone near a crime scene
Spying
0/4 N/A
Is someone spying on me?
Data Sharing
1/4 LOW
Who gets my data?
Security
2/4 MODERATE
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
ACCEPTABLE Moderate concerns. Standard privacy hygiene applies.
2Contradictions
0Critical
2High
0Medium
2Sources
Findings by concern
Security 2/4 MODERATE 2 findings
⚡ highmarketing vs third party research
15 million Trello users' email addresses exposed through an unsecured API. Separately, thousands of "public" Trello boards containing passwords, API keys, and confidential business plans are indexed by Google. People don't realise "public" means "on the internet." Their project board with database credentials is one Google search away.

What they claim: Trello promotes easy, visual project management for teams

What we found: Trello boards set to "Public" are indexed by search engines, and researchers have found thousands of boards containing passwords, API keys, business plans, personal data, and confidential project details accidentally exposed to the internet. A 2024 breach of Atlassian data exposed email addresses of 15 million Trello users through an unsecured API that allowed bulk email enumeration.

⚡ highmarketing vs third party research
Passwords. API keys. Database credentials. Business strategies. All sitting on public Trello boards, indexed by Google. The UN. UK government agencies. Major corporations. Years of sensitive data, one Google search away, because Trello defaulted to "Public" and nobody checked.

What they claim: Trello promotes easy collaboration for teams

What we found: Security researchers discovered thousands of Trello boards accidentally set to "Public" containing passwords, API keys, SSH credentials, database connection strings, business strategies, and personal data — all indexed by Google. The UN, UK government agencies, and major corporations were among those with exposed boards. Trello's default for new boards was changed to "Private" only after years of public exposure incidents.

Sources