Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Charity Hacker Used Employee Password

Attacker who stole data from 92 charities had a valid password from their shared service provider

The hacker who stole personal information from donors at 92 charities entered the system with an employee password from Convio, the database services provider that all the charities shared.

According to an Associated Press report, a spokesman from Convio confirmed that the attacker had gained access to names and email addresses of the charities by accessing their databases using a Convio password.

No Social Security numbers or bank account information was stolen, the spokesman said. The charities have been notified, but so far, the Red Cross is the only one that has been named. The company still isn't sure how much data was stolen.

A Red Cross spokeswoman confirmed that roughly 278,000 email addresses and a smaller number of passwords were taken from a Red Cross blood drive Website that ran on Convio's software. She said the Red Cross notified affected users November 14.

Convio, which has filed papers to prepare for an initial public offering, has 1,200 clients, according to the report. Only clients using a program called GetActive, which Convio acquired in March, were affected by the attack, the spokesman said.

— Tim Wilson, Site Editor, Dark Reading

  • MessageLabs Ltd.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Stop Defending Everything
    Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
    Small Business Security: 5 Tips on How and Where to Start
    Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
    Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
    Jai Vijayan, Contributing Writer,  2/13/2020
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    How Enterprises Are Developing and Maintaining Secure Applications
    How Enterprises Are Developing and Maintaining Secure Applications
    The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2020-9024
    PUBLISHED: 2020-02-17
    Iteris Vantage Velocity Field Unit 2.3.1 and 2.4.2 devices have world-writable permissions for the /root/cleardata.pl (executed as root by crond) and /root/loadperl.sh (executed as root at boot time) scripts.
    CVE-2020-9025
    PUBLISHED: 2020-02-17
    Iteris Vantage Velocity Field Unit 2.4.2 devices have multiple stored XSS issues in all parameters of the Start Data Viewer feature of the /cgi-bin/loaddata.py script.
    CVE-2020-9026
    PUBLISHED: 2020-02-17
    ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the PING field of the resource ping.cmd. The NTP-2 device is also affected.
    CVE-2020-9027
    PUBLISHED: 2020-02-17
    ELTEX NTP-RG-1402G 1v10 3.25.3.32 devices allow OS command injection via the TRACE field of the resource ping.cmd. The NTP-2 device is also affected.
    CVE-2020-9028
    PUBLISHED: 2020-02-17
    Symmetricom SyncServer S100 2.90.70.3, S200 1.30, S250 1.25, S300 2.65.0, and S350 2.80.1 devices allow stored XSS via the newUserName parameter on the "User Creation, Deletion and Password Maintenance" screen (when creating a new user).