Kars4Kids is a charity that asks people to donate their cars, motorcycles, RVs, and real estate. They are most known for their nationwide advertising using their hypnotic theme song where a child and a Johny Cash impersonator sing the phone number and invites people to donate their cars today.
On Nov 3rd Bob Diachenko Director of Cyber Risk Research at Hacken.io and a senior advisor of SecurityDiscovery.com found what appeared to be a publicly accessible MongoDB. Upon further investigation the data seemed to contain the emails and personal details of 21,612 Kars4Kids donors /customers plus super administrator password/login details.
What is worse is that there were internal accounts with usernames and passwords that cyber criminals may have used to access Kars4Kids dashboard, with other more sensitive data – like vacation vouchers (free holidays for those donated their vehicles) and receipts, with personal data like emails, home addresses, phone numbers etc.
As security researchers never circumvent passwords or access this type of data we can only speculate that cyber criminals could easily log in to accounts or abuse admin privileges.
The Ransom Note
We have seen multiple misconfigured instances of MongoDB where human error makes the database publicly accessible without a password. This means that anyone with an internet connection could have had access to Kars4Kids’ data. In fact clear evidence that cyber criminals placed a ransom note inside their database.
In 2017 three groups of hackers have wiped around 26,000 MongoDB databases and demanded victims to pay about $650 to have them restored. In total researchers estimate as many as 75,000 databases were affected. In March 2018 Bob Diachenko conducted a test by creating a honeypot database that contained 30GB of fake data. It took only three hours for hackers to identify the database before wiping out its data in just 13 seconds and leaving a ransom note demanding 0.2 Bitcoin.
In reference to seeing a ransom note in your database MongoDB’s director of product security, Andreas Nilsson told ZDNet ”You should assume that the attacker has a copy of all data from the affected database”.
We can not confirm or deny that cyber criminals have downloaded the entire Kars4Kids’ database, but the ransom note provides reasonable suspicion that it is a possibility. It is unclear how long the data was exposed or how many others gained access to it before the notification was sent and ultimately secured.
The Firewall at the Top and Response
On Nov 3rd a notification email was sent to multiple email addresses with no reply and the database remained open until the evening of Nov 5th. It took 3 hours by phone to reach someone despite telling the volunteers who answer the phones that this is a serious issue and we need to speak with someone in the IT Technology department or senior management. On one occasion the call was forwarded to someone in Israel who could not give me names, contacts, or emails of anyone who could secure the data and told me to call the same main number again (the infinite loop).
We get it that it is a common practice to create a buffer zone between the public and senior managers or leadership. However, the most shocking thing was that any organization or company would not have a data breach or crisis action plan for when a report is made. During the notification process we told anyone who would listen what happened, how important it is and that we must speak with someone to help secure this data urgently. The issue here is that every organization must understand the value of the information they store and collect. They must take every possible step to secure and protect that data. This includes training everyone to be on the same page and enact a data breach protocol for when the worst happens.
On November 7th we received a reply from a Kars4Kids representative:
“We take the security of our donors’ information extremely seriously. After looking into this matter, we immediately secured the vulnerable database, notified the FBI cyber division, and also informed those donors whose information was affected. Unfortunately, as a nonprofit organization, we do not have a discovery bounty program in place. We do very much appreciate your letting us know of this issue and your dedication to keeping the web secure”
As security researchers our primary goal is protecting user’s data online and data security education. We report facts and opinions and have no bias in the companies or individuals we report on. Charity is a very honorable cause and we are not implying any wrongdoing by Kars4Kids or their sister company Oorah. However, when researching more closely we discovered that the charity has faced some controversy in the past and we wanted to include that in the report.
Few things except maybe politics inspire as much hatred as the Kars4Kids advertising jingle. The song was recorded in 1999 and has achieved cult status for good or bad. It has been parodied by FOX’s cartoon series Family Guy, used as CIA torture in a SNL skit, and radio host Don Imus was recorded on a “hot mic” telling the charity to “go to hell” over the song. Jerry Seinfeld was quoted on a podcast as saying. “I don’t know any kids that need cars, I don’t know what they’re doing with these cars, I want to know who’s giving away a car.” Noisey / Vice write an entire article titled 1-877-KARS-4-KIDS: Behind the Most Hated (and Best) Jingle of All Time.
The group has had its share of legal problems that have been well documented. In 2009, Kars4Kids settled with Pennsylvania and Oregon over claims of misleading donors, and of violating its tax exempt status by offering ‘free vacations’ to potential donors (one source claimed that the free vacations included a “time-share” sales seminar). Charitywatch.org has highlighted other issues such as a $300k lawsuit for unpaid scholarships, $500,000 a year in legal fees, and a wide range of alleged questionable practices.
Suffering a data breach can happen to anyone and Kars4Kids is not unique in this case. Companies and charities large and small must make sure that they are taking every possible step to secure the data they collect or store. Before this discovery I only knew of this song and had no idea of who they are or what exactly they do. Only when digging deeper in the publicly accessible database did the pieces of the puzzle start to become more clear of what Kars4Kids actually does or how it looks from the inside.
For more information on this discovery or comments please contact firstname.lastname@example.org