Hackers have once again leaked data on donors to the Freedom Convoy fundraiser hosted by the Christian crowdfunding website GiveSendGo.
The data, provided by the hacker to the transparency and journalism collective DDoSecrets, reveals all names and donation amounts provided to the campaign as of Feb. 23 as well as limited credit card data.
A hacker had previously leaked a downloadable file on the identities of more than 92,000 donors on Feb. 13. Visitors to GiveSendGo’s website were redirected to a rogue domain that not only offered a downloadable file of the data but a long manifesto set to music from the Disney film Frozen II.
The initial leak came just three days after the Daily Dot was alerted to serious security issues on GiveSendGo’s website that saw private documents such as passports and driver’s licenses openly exposed. Despite informing the company of the vulnerabilities uncovered by security researchers, GiveSendGo co-founder Jacob Wells called the issue “fake news.”
Just two days later on Feb. 15, an even more devastating leak revealed the entire donor history of every individual who had ever used GiveSendGo as well as limited credit card data.
The incident finally caused GiveSendGo, which had remained quiet on the issues up until that point, to take down its website and release a statement regarding the breach. The company tried to reassure users by claiming that it had “performed many security audits to ensure the security of the site before bringing it back online.”
But the new leak not only reveals information on the latest donors but more of their financial data as well, including the last four digits of credit cards and their expiration dates. Analysis of the data also shows that the fundraiser has received more than 10,000 new donations since the initial leak on Feb. 13.
While the initial leak showed the campaign had been given roughly $9,910,144, the new data shows that the Freedom Convoy has now received over $10,629,762. Refund amounts also changed from around $17,000 to nearly $41,000 as well.
The hack and leak, which DDoSecrets is only providing to journalists and researchers given the sensitivity of the data, reveals that GiveSendGo’s continued security woes have done little to deter the campaign’s supporters.
The Daily Dot reached out to GiveSendGo to ask if it was aware of the hack and what steps it had taken following its previous security incidents to protect users’ data but did not hear back.
The hack is just one of several targeting the Freedom Convoy movement in Canada, whose aim is to blockade roads in an effort to have vaccine mandates and other health measures repealed.
A similar campaign on GiveSendGo known as “Adopt a Trucker” has also had donor data leaked. Not only that, the campaign’s founder Chris Garrah had his emails hacked and leaked earlier this week as well.
Garrah told the Daily Dot in an email that he wasn’t “much of an email person or computer person” and was not concerned about the hack. Hours later, the hacker, using Garrah’s email, responded to the Daily Dot to reveal that he still had access to Garrah’s account.
“Pardon my intrusion into the conversation,” the hacker wrote. “Chris has definitely not secured his email!”
Source: https://www.dailydot.com/debug/hackers-givesendgo-freedom-convoy-new-leak/