GiveSendGo, the Christian crowdfunding service used by the Canadian trucker protest, has suffered yet another leak of internal data.
The journalism collective DDoSecrets announced on Tuesday that it had been provided with five gigabytes of new data related to the Freedom Convoy’s fundraising efforts as well as a separate campaign known as “Adopt a Trucker.”
The Freedom Convoy, which has led to blockades along the U.S.-Canada border, began in late January in protest of COVID-19 health measures. Canadian Prime Minister Justin Trudeau invoked on Monday the country’s Emergencies Act, which can be used to temporarily suspend citizens’ rights to assembly, in an effort to thwart the movement.
The new leak, which reportedly came after GiveSendGo was targeted by hackers, also includes “a full 2.5 GB MySQL database dump, source code for their Bitbucket repo, information from their customer service systems” as well as limited credit card data from donors.
Given the sensitive nature of the leak, DDoSecrets is opting to only provide the data to journalists and researchers. The Daily Dot, which was able to secure a copy of the leak, confirmed that the last four digits of credit card numbers, as well as expiration dates, are present in the data.
GiveSendGo did not respond to inquiries from the Daily Dot regarding the latest leak.
The new leak came just minutes after GiveSendGo finally responded to a previous leak from Sunday night which saw a list of more than 92,000 donors to the Freedom Convoy exposed. In its statement on the matter, GiveSendGo claimed that no credit card data had been accessed.
“There was a broadcasted breach showing one such actor illegally hacking into GiveSendGo and distributing the names and emails of donors of the Freedom Convoy Campaign,” the company wrote. “However, no credit card information was leaked. No money was stolen.”
The Daily Dot was the first to report on Sunday that donor data had been leaked. The hackers were able to redirect visitors to GiveSendGo’s website to a separate domain that included a video from the Disney film Frozen II as well as a long manifesto condemning the company and its supporters.
The hackers’ website was ultimately suspended and GiveSendGo took its own site offline as well in an effort to investigate the breach.
Yet Sunday’s leak wasn’t even the first security issue for GiveSendGo. On Thursday, the Daily Dot revealed that GiveSendGo had failed to fix an issue with its server that exposed sensitive information regarding those who ran donation campaigns.
Everything from photos of driver’s licenses and military IDs to birth certificates and health insurance cards were publicly accessible on GiveSendGo’s website. TechCrunch had reported on the issue with the server last Tuesday and initially believed that the problem had been fixed.
Incredibly, a cybersecurity researcher had even left a note on GiveSendGo’s server back in 2018 warning the company that it had numerous security issues. The note was still present as of this month.
When contacted by the Daily Dot regarding the exposed IDs, GiveSendGo CEO Jacob Wells claimed that such allegations were “fake news” and part of an “intentional hit job” against his company. After the Daily Dot provided numerous links to the exposed data, Wells stopped responding.
Donor data from GiveSendGo had also been leaked in February of last year, showing that the crowdfunding website had been helping raise funds for those involved in the Jan 6. riot at the Capitol.
GiveSendGo’s website is currently back up and running. The company also claimed that a “dedicated team” had fixed its security issues.
Source: https://www.dailydot.com/debug/givesendgo-trucker-convoy-hack-leak/