The publicly exposed database contained a total of 948,029 records with a size of 465.27 GB. Upon further research, it appeared that the database belonged to a company named DonorView that is developed and owned by Massachusetts-based Connected View. I immediately sent a responsible disclosure notice, and the database was secured from public access several days later and I did not receive a confirmation or reply.
DonorView is a cloud-based fundraising and donor management software solution designed to assist nonprofit organizations, including charities, schools, religious institutions, and other nonprofit entities in managing their fundraising efforts and donor relationships. It provides a suite of tools and features to help nonprofits streamline their operations and improve their fundraising campaigns. According to their website, 200,000+ organizations in 160+ countries manage their data in DonorView; with this tool, these nonprofits have purportedly raised $2,900,000,000 and seen a 46% increase in revenue.
Among the discovered records were.xlsx,.csv, and.PDF files containing a wide range of information, including donations or gifts broken down into categories and details of payment methods such as PayPal and Venmo monthly summaries, payroll deductions, checks, or credit cards. Some of these donation records also contained transaction specifics, completion statuses, and the frequency of donations (one time, monthly, or yearly basis). Many of these documents also contained personally identifiable information (PII) such as donor names, addresses, phone numbers, emails, and more. The documents listed a massive number of “constituents”, which possibly refer to an organization’s members, donors, volunteers, or partners. There were also documents that appeared to show information about businesses that either supported or gave donations to individual charitable organizations, or would be prospects for future donations. Read my full report of the DonorView data breach here.