People who donated to support the truckers currently participating in Canada's “Freedom Convoy” could have had their passport and driver licenses photos exposed due to a security lapse on the donation site GiveSendGo.
While the protest that began in January initially accepted donations using GoFundMe, the crowdsourcing giant decided to freeze around $7.9m in donations following police reports of violence and harassment in Ottawa.
As a result, the truckers behind the convoy decided to switch to the Boston-based donation service GiveSendGo as an alternative. According to the company, it processed over $4.5m in donations for the Freedom Convoy during its first day of hosting the “Adopt a Trucker” campaign.
In addition to this huge influx of donations, GiveSendGo also saw loads of malicious traffic to its site according to co-founder Jacob Wells who explained the situation further in a press release, saying:
“Along with the tremendous showing of support, there has also been plenty of push back. We’ve seen nearly 10 million bots trying to overwhelm our servers in just the past two hours. Though this has caused issues for the platform, we will not let it stand in the way of providing a safe and effective means of fundraising for our campaign owner across the globe.”
Exposed S3 bucket
As reported by TechCrunch, a person working in the security industry informed the news outlet that they had discovered the web address for an exposed Amazon S3 bucket while viewing the source code of the Freedom Convoy's page on GiveSendGo.
This exposed S3 bucket contained over 50GB of files including over a thousand pictures of passports and driver licenses collected from donors. These documents were likely submitted to GiveSendGo during the payments process as some financial institutions require this to be done before a payment can be processed.
After learning of the exposed S3 bucket and the personal information it contained, TechCrunch contacted Wells and it was secured a short time later. While it's not known how long the bucket was publicly accessible online, a text file left behind by a security researcher from September of 2018 warned that the bucket was “not properly configured”.
As countless businesses have left their databases unsecured and S3 buckets exposed online over the years, consumers can proactively protect their personal data online by investing in identity theft protection.