After being notified, the platform secured the exposed data but did not respond to the cyber researcher, leaving data security unanswered.
Nearly 1m records belonging to DonorView, a fundraising and donor management firm, were exposed online for an indeterminate amount of time.
According to a cybersecurity researcher at vpnMentor, Jeremiah Fowler, the leak of around 948,029 records totaling 465.27GB including personally identifiable data such as donor names, addresses, phone numbers, email addresses and other data has put non-profit organizations and donors at risk.
Fowler also found documents in the non-password-protected leaked database that appeared to show information about businesses that either supported or gave donations to individual charitable organizations, or would be prospects for future donations.
The DonorView platform includes communication and engagement tools like email marketing and donor communication templates to help non-profits engage with their supporters and keep them informed about various fund-raising activities and initiatives. The exposed database contained 1,525 folders with various engagement files such as event images, buttons, team members, sponsors, logos, and so on. The database also contained a shared folder with 653 sub-folders, which is where the spreadsheets believed to contain donor data were stored.
Upon the discovery of the leaked data, Fowler promptly sent DonorView a ‘responsible disclosure’ notice. The exposed database was secured from public access several days later, but Fowler had not been issued a confirmation or reply.
According to the researcher, it is unclear how long the records were publicly exposed, or who else may have had access to the exposed database. However, Fowler has issued advice to donors and organizations whose data were leaked: beware of any suspicious emails or phone calls requesting personal, credit, or banking information. In other non-related breaches, cybercriminals have attempted to exploit exposed data for phishing scams, identity theft, fraudulent donation requests and more.
“People who suspect their personally identifiable data has been leaked should take a proactive approach to safeguarding their personal information” to mitigate potential risks and lower the chances of being the victims of fraud, Fowler wrote in his company blog.
