A database of nearly one million records, including information of a donor platform, has been discovered online without password protection.
Cybersecurity researcher Jeremiah Fowler is credited with finding more than 948,000 records in a database measuring over 465GB that is believed to belong to DonorView, a software provider for nonprofits.
Publishing Fowler’s findings, vpnMentor has confirmed that .xlsx, .csv, and PDF files containing sensitive information have all been leaked.
More than 465GB of data breached
Included in the data are details of payment methods, including PayPal and Venmo monthly summaries, payroll deductions, checks, and credit cards. Some donation records were also found to be containing transaction specifics, completion statuses, and donation frequencies.
Furthermore, Fowler said that personally identifiable information such as names, addresses, phone numbers, and emails were also included in many documents. One was reported to include the names and contact details of over 70,000 individuals, likely to be donors.
Fowler stresses that criminals would have sufficient information to pose as charities and defraud victims of money. Moreover, the data exposed could be used by hackers in phishing scams, identity theft, and more.
Among the many concerns mentioned is the use of legacy file formats – for example, Excel users are being urged to use more secure .xlsx formats over .xls. The older .xls file type has limited encryption and password capabilities and can be vulnerable to macro viruses.
The report notes that DonorView did indeed use .xlsx files, however they lacked additional protection such as encryption.
Moreover, charity donors are being advised to exercise maximum caution when it comes to receiving suspicious emails or phone calls asking for personal or payment information.
Fowler says that the database was removed from public access following notification to DonorView, however no formal response was received. TechRadar Pro has given DonorView an opportunity to comment, but the company did not immediately respond.
More from TechRadar Pro
- Concerned you may be affected? Check out the best identity theft protection
- Toyota warns data breach may have exposed customer financial information
- Boost your cybersecurity with the best firewalls and best endpoint protection