Close to a million records containing personally identifiable information belonging to donors that sent money to non-profits were found exposed in an online database.
The database is owned and operated by DonorView - provider of a cloud-based fundraising platform used by schools, charities, religious institutions, and other groups focused on charitable or philanthropic goals.
Infosec researcher Jeremiah Fowler found 948,029 records exposed online including donor names, addresses, phone numbers, emails, payment methods, and more.
Manual analysis of the data revealed what appeared to be the names and addresses of individuals designated as children - though it wasn't clear to the researcher whether these children were associated with the organization collecting the donation or the funds' recipients.
Another document seen by Fowler revealed children's names, medical conditions, names of their attending doctors, and information on whether the child's image could be used in marketing materials - though in many cases this was not permitted.
In just a single document, more than 70,000 names and contact details were exposed, all believed to be donors to non-profits.
Neither Fowler nor The Register has received a response from the US-based service provider, though Fowler said it did secure the database within days of him filing a disclosure report.
DonorView claims to have more than 150,000 users, including major organizations such as Habitat for Humanity and Meals on Wheels America.
Although the database is now secure, Fowler noted that the length of time for which the information was exposed couldn't be determined - nor was it clear if the data had been accessed by unauthorized parties.
The finding illustrates the importance of keeping databases secure, and will likely raise alarm over the potential for phishing attacks against donors whose information was exposed.
This Cyber News was published on go.theregister.com. Publication date: Wed, 13 Dec 2023 10:43:05 +0000