- Mortal Kombat 11 trailer delights fans with gory fatalities, new characters Thursday 5:46 PM
- What you need to know about the data breach involving 773 email addresses Thursday 5:13 PM
- Senators fear government shutdown may affect FTC investigation of Facebook Thursday 3:43 PM
- Buy beer for a furloughed government worker with this new website Thursday 3:19 PM
- Alexandria Ocasio-Cortez is teaching Congress how to tweet Thursday 2:42 PM
- Congressmen held genetics meeting with Chuck Johnson, despite his past racist claims about genetics Thursday 2:26 PM
- Female bodyguard thriller ‘Close’ is disappointingly un-thrilling Thursday 2:01 PM
- Twitter faces backlash for insensitive ‘triggers’ joke Thursday 1:13 PM
- 10 user-recommended sites for live tarot readings that are almost too good to be true Thursday 12:08 PM
- AsapSCIENCE comes for Jake Paul over Mystery Brand scam Thursday 11:34 AM
- Why ‘I never thought of it like that’ can actually be deeply offensive Thursday 11:26 AM
- Save 40% on the Fire TV Stick 4K when you rent textbooks through Amazon Thursday 11:05 AM
- Netflix reportedly used real disaster footage in ‘Bird Box’ Thursday 10:53 AM
- Holocaust denier Chuck Johnson spotted with 2 congressmen in Capitol Thursday 10:30 AM
- YouTuber who made popular Darth Vader fan film prevails in copyright fight Thursday 10:09 AM
More than 5,000 people exposed in Habitat for Humanity data breach
The breach was discovered and shut down earlier this month.
A massive data breach earlier this month at Habitat for Humanity exposed the personal information of thousands of individuals, including their Social Security numbers.
Habitat for Humanity of Michigan’s virtual hard drive backups, which contained more than 400GB of information, were discovered online by an Austin-based security researcher in early October. The data is said to have contained hundreds of background and credit check profiles, in addition to roughly 4,600 individual profiles, all of which included Social Security numbers and other personally identifiable information.
Those affected by the breach are believed to be Michigan volunteers and applicants of the non-profit organization.
Habitat is an international Christian charity devoted to building “simple, decent, and affordable” housing and addressing issues of poverty around the world.
The data breach was discovered by Chris Vickery, a lead security researcher for MacKeeper. Vickery describing the breach as an “identity thief’s dream.” Habitat was alerted to the breach roughly three weeks ago. The leaky database has since been either taken down or moved to another location.
“I’ve found, so far, close to 5,500 people have been seriously exposed by this breach,” Vickery told the Daily Dot. Among the files, he said, are Experian credit check reports containing a wealth of personal information: “Everything an identity thief would need to break the law and do their thing,” he said.
According to Vickery, Habitat’s hosting provider had an exposed “rsync” service, a protocol which is used to “copy files from a given directory to another device—it’s used to make backups,” he explained. “However, most of the client’s backups were encrypted with … a decent backup encryption service.” Habitat’s folder, however, was not encrypted. “Their virtual hard drives were simply available.”
Vickery reached out to alert Habitat three weeks ago, but he has only ever been transferred to a supervisor’s voicemail. “My messages have gotten zero responses,” he said. Given the length of time the data may have been exposed—which may be difficult to accurately pinpoint—the organization has a responsibility to notify the people who may be affected, he said.
A spokesperson for Habitat’s Michigan branch said it needed more time to assess the situation.
Ultimately, Vickery said, the fault lies with the party responsible for backing up Habitat’s data. “I don’t know in what area that process happens,” he said. “The question of where the servers are physically stored, and who is in charge of turning on and off the firewall, is up in the air.”
The leaky database containing Habitat’s data was taken offline around Oct. 10, a day after Vickery contacted ACD, Habitat’s internet provider, but before he reached out to Habitat itself.
ACD denied responsibility. “We are the ISP for Habitat for Humanity. We provide internet service to some of their sites,” said Kevin Meeker, an ACD sales engineer. “I provide raw internet, what they do with it is up to them.”
Evidence pulled from the breach may point to a Michigan-based tech company called Providence.
Reached by phone on Friday, a Providence employee confirmed that Habitat is their client. “I know that we are aware and that our CEO has looked into that,” the employee said. “I will tell you that the way that it was presented to us made it sound like [Vickery] may have been a hacker and that it may have been a phishing scam.”
An oft-cited security expert, Vickery has been instrumental over the past year in securing dozens of databases containing the private information of U.S. and foreign citizens.
In December, Vickery helped to secure a publicly accessible database containing the personal information of 191 million American voters. In June, he discovered yet another database containing approximately 56 million voter records, which included information about gun ownership.
This summer, he was invited to Mexico by the nation’s government after he discovered the names, addresses, dates of birth and voter ID numbers of 87 million Mexican citizens exposed by misconfigured database online.
Clarification: ACD did not host the breached database.
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.