14 DAY TRIAL // An unprotected MongoDB database containing a wealth of personally identifiable information related to 21,612 customers and donors was found by Bob Diachenko, Hacken's Director of Cyber Risk Research on November 3.
After discovering the database left out in the open on the Internet, Diachenko noticed that the records it exposed were leaked by the New Jersey-based KARS4KIDS charity.
The unprotected database contained customers and donors emails and personal info, as well as super admin credentials. In addition, Diachenko found KARS4KIDS accounts with usernames and passwords listed in plain text.
If a potential attacker would have gotten access to the database, he could log into KARS4KIDS' web dashboard which would allow for easy access to "vacation vouchers (free holidays for those that donated their vehicles) and receipts, with such personal data like emails, home addresses, phone numbers, and etc."
Besides all the data left out in the open, Diachenko also found a ransom note within the database which proves that at least one other third party found the publicly accessible database and, possibly, stole some of the info.
KARS4KIDS' exposed database was available online for an undetermined amount of time
"It is unclear how long the data was exposed or how many others gained have access to it before the notification was sent and ultimately secured," according to Hacken's report.
Diachenko contacted the KARS4KIDS charity on November 3 after discovering the exposed MongoDB database via multiple email addresses, but he did not receive a reply until late November 5.
Eventually, after a 3-hour phone call, the researcher was able to get in touch with someone who was able to deal with the security issue.
"After looking into this matter, we immediately secured the vulnerable database, notified the FBI cyber division, and also informed those donors whose information was affected," a KARS4KIDS spokesperson told Diachenko on November 7. "Unfortunately, as a nonprofit organization, we do not have a discovery bounty program in place."
