Thousands of donors who were able to look past the Kars4Kids ad jingle and went ahead had their information exposed when a misconfigured MongoDB made it publicly accessible.

Bob Diachenko, HackenProof’s director of cyber risk research, found the 21,612 customer/donor and charity’s records containing emails and personal data open to the public. The corporate records also helped reveal an entirely deeper layer of information such as the vacation vouchers that are given to people who donated their vehicles and receipts with such personal data like emails, home addresses, and phone numbers.

Diachenko noted Kars4Kids bad luck did not stop with the misconfigured database. During his search of the public facing data he found evidence of a ransom note.

“We cannot confirm or deny that cybercriminals have downloaded the entire Kars4Kids’ database, but the ransom note provides reasonable suspicion that it is a possibility. It is unclear how long the data was exposed or how many others gained have access to it before the notification was sent and ultimately secured,” he wrote.

HackenProof could not determine whether the database had been downloaded, but the fact a ransom note was left is a strong indicator something nefarious took place. It is also unclear how long the database was open.

Kars4Kids was informed on November 3 by email of the situation, but Diachenko said no response was forthcoming. His team then began calling the charity in an attempt to connect with its IT team, but again was stymied. HackenProof was contacted on November 7 by the charity acknowledging the issue and then secured the database.