Kars4Kids charity accidentally exposes over 21,000 customers’ and donors’ data

  • The exposed data includes the emails and personal information of customers and donors.
  • The Kars4Kids accounts usernames and passwords were stored in a plaintext.

New Jersey-based Kars4Kids charity inadvertently exposed the Personally Identifiable Information (PII) of 21,612 customers and donors. The breach was caused by an unprotected Mongo database.

The data leak was discovered by Bob Diachenko, Hacken’s director of cyber risk research, on November 3. The exposed data includes the emails and personal information of customers and donors. In addition, Diachenko found that the Kars4Kids accounts’ usernames and passwords were stored in plaintext.

“There were internal accounts with usernames and passwords that cybercriminals may have used to access the Kars4Kids dashboard, that would give them access to even more sensitive data – like vacation vouchers (free holidays for those that donated their vehicles) and receipts, with such personal data like emails, home addresses, phone numbers, and etc.,” Diachenko said in a blog post.

Apart from the exposed data, Diachenko also found a ransom note which indicates that cybercriminals may have accessed the unprotected database.

“We have seen multiple misconfigured instances of MongoDB where human error makes the database publicly accessible without a password. This means that anyone with an internet connection could have had access to Kars4Kids’ data. In fact, there is clear evidence that cybercriminals placed a ransom note inside their database,” Diachenko explained.

It is still unclear as to how long the database remained exposed to the public. It is also unknown as to how many cybercriminals may have gained access to it. Diachenko said that he contacted Kars4Kids to inform the charity about the data leak. The organization has secured the vulnerable database and informed the FBI’s cyber division.

“We take the security of our donors’ information extremely seriously. After looking into this matter, we immediately secured the vulnerable database, notified the FBI cyber division, and also informed those donors whose information was affected.

Unfortunately, as a nonprofit organization, we do not have a discovery bounty program in place. We do very much appreciate your letting us know of this issue and your dedication to keeping the web secure,” a KARS4KIDS representative told Diachenko on November 7.