Here is another (Google) search query that yields a lot of email addresses and passwords:
site:vk.com/doc "@gmail.com"
As it turns out, vk.com (and other large social networks) are used for discreetly sharing large lists of credentials. These are publicly crawled by Google but do not typically end up on lists of email or password breaches. You can find many credentials this way that are not (for example) in the haveibeenpwned database.
More generally this is why "google dorking" can be a sophisticated reconnaissance method for collecting a variety of data that is technically public but not intentionally so.
"VKontakte (or VK for short) is a social media networking site. Like most social media networks you can add friends, gain followers, and post photos of your food and your cat. VK, like Facebook also gives companies the ability to create their own pages for marketing purposes."
VK is essentially russian Facebook, Russian hackees use it to store and share login lists from compromised servers muck like pastebin is used, however because most of the description alongside the list is in Russian it doesn't always get the sort of attention that an English language list would e.g end up in Krebsonsecurity it HIBP.com
Holy crap. There are a ton of what look like auto-generated or temporary emails in those lists. There are also a lot of what appear to be legitimate emails. That took all of two seconds.
The first two links I clicked gave me lists of emails.
The third one gave me a list of colon-delimited emails and passwords.
I don't think it is a blunder, these are not emails being exposed accidentally by vk.com, these are credential lists created by hackers and shared or stored on vk
You can also search for AWS keys and you’ll find quite a few. Or for Heroku keys.
It’s funny and sad at the same time.
> the access key for amazon s3 is:
User XXXXXXX
Access Key ID: XXXXXXXXXXXXXXXXXXX
Secret Access Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
> Let me know when you've recorded these and I'll delete the comment.
(blacked out by me)
Or fitgoapp, which has publicly accessible services, with passwords "fitgo" and "fitgoapp" (also visible on trello).
Just go through the entire list of queries at https://www.exploit-db.com/google-hacking-database/ you’ll find so many exposed passwords, it’s crazy. No one ever properly protects their keys and passwords.
At a previous company, a new employee accidentally commited his aws credentials to a public github repo, which had instance creation capabilities.
It got scraped and we had the max amount of instances created at every zone (we assume for mining).
I assume you have bots scraping public sites for those creds at all times.
I think Trello should be doing similar scraping, automatically. My work does, granted it is potentially a bit easier in our case. We scan things like GitHub repos and looks for credentials into our system, and, if found, deactivate the credential and reach out to the customer.
I tried to create a Trello board just now and the default visibility setting is private. I assume that hasn't always been the case, otherwise people really went out of their way to make these boards public.
I don't think that was always the case. Recently I was googling my name and I found out I have bunch of Trello boards for various student projects that I completely forgot about (think "startups" but we've never gotten anywhere with them). I was surprised to see that. I don't think we deliberately made it public.
I don't think this is a GDPR violation or a security vulnerability.
The purview of GDPR is personally identifiable information, whereas these are vulnerability details and passwords. If companies were storing their user lists in Trello boards that might be a bit different, but the examples in this blog post do not seem to be related to user data. They are also being volunteered by the companies using Trello, not Trello itself, so a potential violation would probably be levying fees against individual companies.
It also doesn't strike me as a security vulnerability because it's not a technical failure in Trello's software. This is closer to accidentally publishing AWS keys on Github or opening a phishing email, and in neither case would GitHub or (say) Gmail be responsible for that. There are proactive steps they can take to mitigate this kind of mistake (as GitHub and Gmail do), and it's arguable Trello should do the same, but it doesn't seem like a compliance or security failure whatsoever.
Although PII is dealt with in GDPR, GDPR doesn't only cover PII, and it makes numerous references to the obligation on anybody who processes personal data (not just PII) with respect to security. For example "Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing."
While I appreciate the integrity of the researcher, companies that are so careless don't deserve responsible disclosure. They deserve someone anonymously logging in with those credentials and rm -rf'ing the entire company and user data.
More generally this is why "google dorking" can be a sophisticated reconnaissance method for collecting a variety of data that is technically public but not intentionally so.