#privacy: Fundraising platform exposes more than 7 million records


A database belonging to the fundraising platform Wedidit has been discovered non-password protected. 

Security researcher Jeremiah Fowler discovered the non-password protected database on July 11th and following an investigation it was found that the database was connected to an online fundraising platform. 

The database was publicly accessible and all the folders within it contained the name “production”. The type of data in the folders “is usually essential to completing day-to-day business tasks and processes.”

It is speculated that the data could be donors due to the number of individuals contained in the folders. Fowler was also able to validate several emails to Facebook accounts. 

The database contained 7.5 million records including full names, user account numbers, emails and other identifiable details. It also contained IP addresses, Ports, Pathways all of which could be exploited by cybercriminals to access deeper into the network. 

Fowler notified Wedidit about the database and shortly after it was closed. However it remains unclear as to how long the data was exposed for and who may have had access to it. Additionally it is unclear of users were alerted about the data incident and if relevant authorities were contacted. 

Fowler said: 

“Any data incident is still a potential backdoor in to the network and companies or charities of all sizes must make sure that they are taking every possible step to secure the data they collect and store.”

Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.