- Ohio KKK rally met with massive counter-protest and witty signs from local businesses Saturday 5:06 PM
- Guy who said he stole drugs from MS-13 now says viral story is fake Saturday 4:07 PM
- Financial service company left 885 million private records exposed online Saturday 3:13 PM
- Sasha Obama went to prom and Twitter is delighted with the photos Saturday 2:22 PM
- Jon Voight says Trump is the greatest president since Lincoln in Twitter videos Saturday 1:31 PM
- #DeleteFacebook gains momentum after the platform refused to remove doctored Nancy Pelosi videos Saturday 11:58 AM
- ‘Game of Thrones’ failed women—and it’s a shame on its legacy Saturday 7:40 AM
- How to use Tor, the network that lets you browse the web anonymously Saturday 7:30 AM
- How to live stream Devin Haney vs. Antonio Moran on DAZN Saturday 7:00 AM
- Trump’s transphobic policies are disgusting—but they aren’t new Saturday 6:30 AM
- How to watch the Copa del Rey Final online for free Saturday 5:45 AM
- How to watch the DFB-Pokal final for free Saturday 5:30 AM
- Curvy Wife Guy drops music video for rap song ‘Chubby Sexy’ Friday 7:33 PM
- A ‘Black Mirror’-inspired miniseries is coming to YouTube via Netflix Latin America Friday 5:56 PM
- Kanye West appears on David Letterman’s Netflix show to talk Trump, TMZ, and Drake Friday 3:27 PM
More than 5,000 people exposed in Habitat for Humanity data breach
The breach was discovered and shut down earlier this month.
A massive data breach earlier this month at Habitat for Humanity exposed the personal information of thousands of individuals, including their Social Security numbers.
Habitat for Humanity of Michigan’s virtual hard drive backups, which contained more than 400GB of information, were discovered online by an Austin-based security researcher in early October. The data is said to have contained hundreds of background and credit check profiles, in addition to roughly 4,600 individual profiles, all of which included Social Security numbers and other personally identifiable information.
Those affected by the breach are believed to be Michigan volunteers and applicants of the non-profit organization.
Habitat is an international Christian charity devoted to building “simple, decent, and affordable” housing and addressing issues of poverty around the world.
The data breach was discovered by Chris Vickery, a lead security researcher for MacKeeper. Vickery describing the breach as an “identity thief’s dream.” Habitat was alerted to the breach roughly three weeks ago. The leaky database has since been either taken down or moved to another location.
“I’ve found, so far, close to 5,500 people have been seriously exposed by this breach,” Vickery told the Daily Dot. Among the files, he said, are Experian credit check reports containing a wealth of personal information: “Everything an identity thief would need to break the law and do their thing,” he said.
According to Vickery, Habitat’s hosting provider had an exposed “rsync” service, a protocol which is used to “copy files from a given directory to another device—it’s used to make backups,” he explained. “However, most of the client’s backups were encrypted with … a decent backup encryption service.” Habitat’s folder, however, was not encrypted. “Their virtual hard drives were simply available.”
Vickery reached out to alert Habitat three weeks ago, but he has only ever been transferred to a supervisor’s voicemail. “My messages have gotten zero responses,” he said. Given the length of time the data may have been exposed—which may be difficult to accurately pinpoint—the organization has a responsibility to notify the people who may be affected, he said.
A spokesperson for Habitat’s Michigan branch said it needed more time to assess the situation.
Ultimately, Vickery said, the fault lies with the party responsible for backing up Habitat’s data. “I don’t know in what area that process happens,” he said. “The question of where the servers are physically stored, and who is in charge of turning on and off the firewall, is up in the air.”
The leaky database containing Habitat’s data was taken offline around Oct. 10, a day after Vickery contacted ACD, Habitat’s internet provider, but before he reached out to Habitat itself.
ACD denied responsibility. “We are the ISP for Habitat for Humanity. We provide internet service to some of their sites,” said Kevin Meeker, an ACD sales engineer. “I provide raw internet, what they do with it is up to them.”
Evidence pulled from the breach may point to a Michigan-based tech company called Providence.
Reached by phone on Friday, a Providence employee confirmed that Habitat is their client. “I know that we are aware and that our CEO has looked into that,” the employee said. “I will tell you that the way that it was presented to us made it sound like [Vickery] may have been a hacker and that it may have been a phishing scam.”
An oft-cited security expert, Vickery has been instrumental over the past year in securing dozens of databases containing the private information of U.S. and foreign citizens.
In December, Vickery helped to secure a publicly accessible database containing the personal information of 191 million American voters. In June, he discovered yet another database containing approximately 56 million voter records, which included information about gun ownership.
This summer, he was invited to Mexico by the nation’s government after he discovered the names, addresses, dates of birth and voter ID numbers of 87 million Mexican citizens exposed by misconfigured database online.
Clarification: ACD did not host the breached database.
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.