vpnMentor says its security researcher Jeremiah Fowler recently revealed a concerning discovery to vpnMentor, uncovering an unprotected database housing nearly 1 million records. This database contained sensitive data from a donor platform, including information about charitable organizations and donors.
The exposed database, totaling 948,029 records and a massive 465.27 GB in size, reportedly belonged to DonorView, a fundraising and donor management software developed by Massachusetts-based Connected View. Despite Fowler’s immediate responsible disclosure notice, the database remained accessible for several days before finally being secured, without any formal acknowledgment from DonorView, vpnMentor said in its report.
DonorView, catering to nonprofit organizations worldwide, offers tools to manage fundraising efforts and donor relations. The exposed records included .xlsx, .csv, and .PDF files containing details on donations, payment methods, personally identifiable information (PII) like names, addresses, emails, and more. Moreover, documents outlined specifics about charitable activities, including children’s medical information and waivers for image use.
The platform, supposedly serving over 200,000 organizations globally, presented a significant security risk due to the exposure of donor data. Potential consequences included fraudulent donation requests, phishing scams targeting donors, and the exploitation of sensitive donor information by unauthorized entities.
Jeremiah Fowler conducted a sampling of records and saw one single document that contained over 70k names and contact details of donors. Among other potentially sensitive information in the database, there was a document that raised money for children through a hospital charity that contained various details, including the child’s name, attending doctor’s name, outlined medical conditions, and waivers indicating whether the child’s image could be used for marketing purposes.
According to their website, 200,000+ organizations in 160+ countries manage their data in DonorView; with this tool, these nonprofits have purportedly raised $2,900,000,000 and seen a 46 percent increase in revenue.
The DonorView platform includes communication and engagement tools like email marketing and donor communication templates to help nonprofits engage with their supporters and keep them informed about the organization’s activities and initiatives. The exposed database contained 1,525 folders with various engagement files such as event images, buttons, team members, sponsors, logos, etc. The database also contained a shared folder with 653 sub-folders, which is where the spreadsheets believed to contain donor data were stored.
Jeremiah Fowler, a cybersecurity researcher at vpnMentor and Co-Founder of Security Discovery, emphasized the need for robust cybersecurity measures for platforms handling sensitive data. He advised organizations to implement encryption, access controls, and regular security audits while urging affected donors to be vigilant against suspicious communications asking for personal or financial information.
As an ethical researcher, Jeremiah Fowler reported the exposure responsibly and highlighted the urgency of protecting sensitive data from potential threats. Despite securing the database, no formal response was received from DonorView, underscoring the critical need for heightened cybersecurity awareness and robust data protection measures.