Donation site for Ottawa “Freedom Convoy” exposed user data
Misconfigured S3 bucket contained donors' passports and driver licenses
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
People who donated to support the truckers currently participating in Canada’s “Freedom Convoy” could have had their passport and driver licenses photos exposed due to a security lapse on the donation site GiveSendGo.
While the protest that began in January initially accepted donations usingGoFundMe, the crowdsourcing giant decided to freeze around $7.9m in donations following police reports of violence and harassment in Ottawa.
As a result, the truckers behind the convoy decided to switch to the Boston-based donation service GiveSendGo as an alternative. According to the company, it processed over $4.5m in donations for the Freedom Convoy during its first day of hosting the “Adopt a Trucker” campaign.
In addition to this huge influx of donations, GiveSendGo also saw loads ofmalicious trafficto its site according to co-founder Jacob Wells who explained the situation further in apress release, saying:
“Along with the tremendous showing of support, there has also been plenty of push back. We’ve seen nearly 10 million bots trying to overwhelm our servers in just the past two hours. Though this has caused issues for the platform, we will not let it stand in the way of providing a safe and effective means of fundraising for our campaign owner across the globe.”
Exposed S3 bucket
AsreportedbyTechCrunch, a person working in the security industry informed the news outlet that they had discovered the web address for an exposedAmazon S3bucket while viewing the source code of the Freedom Convoy’s page on GiveSendGo.
This exposed S3 bucket contained over 50GB of files including over a thousand pictures of passports and driver licenses collected from donors. These documents were likely submitted to GiveSendGo during thepayments processas some financial institutions require this to be done before a payment can be processed.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Petabytes of data are being left exposed online>Unsecured cloud database leaked personal information of over 100m US citizens>Millions of seniors hit by major data breach
After learning of the exposed S3 bucket and the personal information it contained,TechCrunchcontacted Wells and it was secured a short time later. While it’s not known how long the bucket was publicly accessible online, a text file left behind by a security researcher from September of 2018 warned that the bucket was “not properly configured”.
As countless businesses have left theirdatabases unsecuredand S3 buckets exposed online over the years, consumers can proactively protect their personal data online by investing in thebest identity theft protection.
ViaTechCrunch
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.
A new form of macOS malware is being used by devious North Korean hackers
Scammers are using fake copyright infringement claims to hack businesses
How to turn off Meta AI
