Cybersecurity researcher Jeremiah Fowler has uncovered a non-password-protected database housing nearly 1 million records. This database comprises sensitive information related to a donor platform, encompassing details about charitable organizations and donors.
The publicly accessible database, totaling 948,029 records and occupying 465.27 GB, revealed a significant lapse in security protocols. Subsequent investigation revealed that the database is associated with DonorView, a company based in Massachusetts and developed and owned by Connected View.
DonorView is a cloud-based fundraising and donor management software solution designed to assist nonprofit organizations, including charities, schools, religious institutions, and other nonprofit entities in managing their fundraising efforts and donor relationships. It provides a suite of tools and features to help nonprofits streamline their operations and improve their fundraising campaigns. According to their website, 200,000+ organizations in 160+ countries manage their data in DonorView; with this tool, these nonprofits have purportedly raised $2,900,000,000 and seen a 46% increase in revenue.
According to Fowler, the discovered records were.xlsx,.csv, and.PDF files containing a wide range of information, including donations or gifts broken down into categories and details of payment methods such as PayPal and Venmo monthly summaries, payroll deductions, checks, or credit cards.
Some of these donation records also contained transaction specifics, completion statuses, and the frequency of donations (one-time, monthly, or yearly basis). Many of these documents also contained personally identifiable information (PII) such as donor names, addresses, phone numbers, emails, and more. The documents listed a massive number of “constituents”, which possibly refer to an organization’s members, donors, volunteers, or partners. Some documents appeared to show information about businesses that either supported or gave donations to individual charitable organizations or would be prospects for future donations.
The exposed database contained 1,525 folders with various engagement files such as event images, buttons, team members, sponsors, logos, etc. The database also contained a shared folder with 653 sub-folders, which is where the spreadsheets believed to contain donor data were stored.
