A database containing nearly a million records, including information from a donor platform, has been discovered online without password protection.
Cybersecurity researcher Jeremiah Fowler is credited with finding more than 948,000 records in a database of more than 465 GB believed to be owned by DonorView, a software provider for nonprofits.
Publish Fowler's findings, vpnMentor has confirmed that .xlsx, .csv and PDF files containing sensitive information have all been leaked.
More than 465 GB of data has been breached
Included in the data are details of payment methods, including monthly statements from PayPal and Venmo, payroll deductions, checks and credit cards. Some donation data was also found to include transaction specifications, completion statuses, and donation frequencies.
In addition, Fowler said personally identifiable information such as names, addresses, phone numbers and emails were also included in many documents. One reportedly contained the names and contact details of more than 70,000 people, likely donors.
Fowler emphasizes that criminals would have enough information to pose as charities and defraud victims of money. Additionally, the exposed data can be used by hackers in phishing fraud, identity theft, and more.
One of the many concerns mentioned is the use of older file formats. For example, Excel users are urged to use more secure .xlsx formats instead of .xls. The older .xls file type has limited encryption and password capabilities and may be vulnerable to macro viruses.
The report notes that DonorView did indeed use .xlsx files, but these did not have additional protection such as encryption.
Additionally, charity donors are advised to exercise maximum caution when it comes to receiving suspicious emails or phone calls requesting personal or payment information.
Fowler says the database is no longer accessible to the public after notification to DonorView, but no formal response has been received. Ny Breaking gave DonorView the opportunity to comment, but the company did not immediately respond.