A sign on a truck.

Yvonne Hanson/Shutterstock (Licensed)

Donation site used by Freedom Convoy suffers 3rd data leak in two weeks

The Christian fundraising website has suffered 3 leaks in just the last 2 weeks.

 

Mikael Thalen

Tech

Posted on Feb 15, 2022   Updated on Feb 15, 2022, 12:34 pm CST

GiveSendGo, the Christian crowdfunding service used by the Canadian trucker protest, has suffered yet another leak of internal data.

Featured Video Hide

The journalism collective DDoSecrets announced on Tuesday that it had been provided with five gigabytes of new data related to the Freedom Convoy’s fundraising efforts as well as a separate campaign known as “Adopt a Trucker.”

Advertisement Hide

The Freedom Convoy, which has led to blockades along the U.S.-Canada border, began in late January in protest of COVID-19 health measures. Canadian Prime Minister Justin Trudeau invoked on Monday the country’s Emergencies Act, which can be used to temporarily suspend citizens’ rights to assembly, in an effort to thwart the movement.

The new leak, which reportedly came after GiveSendGo was targeted by hackers, also includes “a full 2.5 GB MySQL database dump, source code for their Bitbucket repo, information from their customer service systems” as well as limited credit card data from donors.

Advertisement Hide

Given the sensitive nature of the leak, DDoSecrets is opting to only provide the data to journalists and researchers. The Daily Dot, which was able to secure a copy of the leak, confirmed that the last four digits of credit card numbers, as well as expiration dates, are present in the data.

GiveSendGo did not respond to inquiries from the Daily Dot regarding the latest leak.

The new leak came just minutes after GiveSendGo finally responded to a previous leak from Sunday night which saw a list of more than 92,000 donors to the Freedom Convoy exposed. In its statement on the matter, GiveSendGo claimed that no credit card data had been accessed.

“There was a broadcasted breach showing one such actor illegally hacking into GiveSendGo and distributing the names and emails of donors of the Freedom Convoy Campaign,” the company wrote. “However, no credit card information was leaked. No money was stolen.”

Advertisement Hide

The Daily Dot was the first to report on Sunday that donor data had been leaked. The hackers were able to redirect visitors to GiveSendGo’s website to a separate domain that included a video from the Disney film Frozen II as well as a long manifesto condemning the company and its supporters.

The hackers’ website was ultimately suspended and GiveSendGo took its own site offline as well in an effort to investigate the breach.

Advertisement Hide

Yet Sunday’s leak wasn’t even the first security issue for GiveSendGo. On Thursday, the Daily Dot revealed that GiveSendGo had failed to fix an issue with its server that exposed sensitive information regarding those who ran donation campaigns.

Everything from photos of driver’s licenses and military IDs to birth certificates and health insurance cards were publicly accessible on GiveSendGo’s website. TechCrunch had reported on the issue with the server last Tuesday and initially believed that the problem had been fixed.

Advertisement Hide

Incredibly, a cybersecurity researcher had even left a note on GiveSendGo’s server back in 2018 warning the company that it had numerous security issues. The note was still present as of this month.

When contacted by the Daily Dot regarding the exposed IDs, GiveSendGo CEO Jacob Wells claimed that such allegations were “fake news” and part of an “intentional hit job” against his company. After the Daily Dot provided numerous links to the exposed data, Wells stopped responding.

Donor data from GiveSendGo had also been leaked in February of last year, showing that the crowdfunding website had been helping raise funds for those involved in the Jan 6. riot at the Capitol.

Advertisement Hide

GiveSendGo’s website is currently back up and running. The company also claimed that a “dedicated team” had fixed its security issues.


Read more of the Daily Dot’s tech and politics coverage

EXCLUSIVE: Barry Loudermilk was instrumental in pushing Italian satellite conspiracy to top Republican
How accusations around a major NFT release sank it—and raised questions about an alleged NFT ‘ring’
EXCLUSIVE: Far-right organization in Maine obsessed with ‘grooming’ in schools accidentally platformed a convicted sex offender
TikTokers’ new conspiratorial obsession with elites being reptiles has a long, sordid past
EXCLUSIVE: ‘That’s the picture of him buying a gun’: Uvalde mass shooting suspect bought an AR-15 online last week
Sign up to receive the Daily Dot’s Internet Insider newsletter for urgent news from the frontline of online.
Share this article
*First Published: Feb 15, 2022, 12:09 pm CST