Bad news: 1-877-KARS4KIDS had a data breach. Worse news: now you’ll have that awful jingle stuck in your head all day.
The New Jersey-based charity has plagued the American airwaves for years with the “most hated” jingle to try to get consumers to trade in their car — for the kids! In return, you get to write-off the donation from your taxes, and you’re given a “holiday voucher” to sweeten the deal.
But a security lapse left thousands of those donation records exposed for anyone to find.
Bob Diachenko, Hacken.io’s director of cyber risk research, found the company’s MongoDB database on a server, wide open and without a password earlier this month.
The server contained 21,612 records and climbing — representing weeks worth of data, Dianchenko told TechCrunch, prior to blogging his findings. The data included donor email addresses and donation receipts, which included customized links to a donor’s tax receipt. He also found credentials, which he said could have allowed a hacker to access far more sensitive data.
Yet it took Kars4Kids two days to pull the database offline after Diachenko warned of the data exposure, he said.
Dianchenko said that Kars4Kids had told him that customers had been informed, but TechCrunch has found no evidence of the company’s claim.
Under state law, Kars4Kids is obligated to inform New Jersey’s attorney general of the breach.
Kars4Kids spokesperson Wendy Kirwan did not respond to a request for comment sent prior to publication.
It isn’t known how long the database was exposed for, but Dianchenko said he wasn’t the first to discover the database. A note left in the database claimed to have “downloaded and backed up” by a hacker who demanded bitcoin in exchange for the data’s safe return.
The breach represents a portion — though not all — of the cars that Kars4Kids receives annually — reportedly tens of thousands each year. The non-profit has been criticized over the handling of its finances, and currently has a “moderate concern” rating from independent evaluator Charity Navigator.