Online fundraising is a growing industry that has raised many billions of dollars for worthy causes from around the street to around the world. The concept of small donations from many people can have a big impact. The real issue is that the more people and donations an organization collects, the bigger the challenge of managing the data that donors provide in the process.
On July 11th, I discovered a non-password protected database that contained millions of records. Upon further investigation it appeared to be connected to an online fundraising platform called Wedidit. I immediately contacted them by email with a disclosure notification and public access was closed shortly after. It is unclear how long the data was exposed or who else may have had access to it.
According to their website: WeDidIt makes fundraising software that helps nonprofits fundraise online with fundraising software, donor prospecting tools, and more.
Inside the publicly accessible database gave a better understanding of the kind of data Wedidit collected and stored. The folders all contained the name “production” and this type of data is usually essential to completing day-to-day business tasks and processes. We can only speculate that this data could be donors based on the number of individuals contained in the folders called “Production_Profiles”. I was also able to validate several of the emails to Facebook accounts.
What the database contained:
- 7.5 million records including full names names, user account numbers, home addresses, emails, and other identifiable details.
- IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper in to the network.
As part of our responsible disclosure process we allow organizations the necessary time to review their internal process, data protection policies, and notify the affected individuals before we publish the discovery. Any data incident is still a potential backdoor in to the network and companies or charities of all sizes must make sure that they are taking every possible step to secure the data they collect and store. As security researchers our primary goal is protecting user’s data online and data security education. We report facts and opinions and have no bias in the companies or individuals we report on.
Wedidit acted fast to secure the data, but despite multiple requests for comment they never replied to our inquiries regarding the data incident between July 11th at the time of publication on Aug 23rd. Launched in 2012, Wedid.it is based in Brooklyn, NY. However, according to a press release from June 25th 2019, Allegiance Fundraising Group acquired Wedidit. It is obvious that my notification got through to someone at Wedidit because of how fast public access was closed to the database, but it is unclear if Allegiance Fundraising Group was informed of the data incident. Neither Wedid.it or Allegiance Fundraising Group has responded at the time of publication or since and it is unclear if this data incident was reported to users who may have been affected or the authorities.