RSSThousands of user IDs stolen in Red Cross blood drive hack
By Tim Conneally | Published November 28, 2007, 5:11 PM
Over a two-week period, over 278,000 e-mail addresses of Red Cross workers were swiped by a malicious user who found a back-door into a certain brand of non-profit fundraising software.
Convio Inc., an Austin, Texas-based software company that exclusively serves the needs of non-profit groups, admitted today that its GetActive software had been hacked and user data from 92 groups were stolen between October 23 and November 1.
Apparently, an unauthorized user accessed the Red Cross database with a stolen employee password. Fortunately, no Social Security numbers or bank account information was stolen, but the Red Cross confirmed that 278,000 of its e-mail addresses and an unspecified smaller number of passwords were pilfered.
The Red Cross was running a blood drive site on Convio's GetActive software platform.
Convio serves some of the largest American non-profit organizations with its online fundraising, advocacy, and e-mail marketing software. Some notable clients include Children's Cancer Research Fund, Easter Seals, and Paralyzed Veterans of America.
6:30 pm EST November 29, 2007 - A spokesperson for Convio which manufacturers the software at issue contacted BetaNews this afternoon to say that the e-mail IDs swiped from the Red Cross database belonged to newsletter subscribers, not Red Cross employees.
"The intruder hacked into the Convio system electronically and from a distance," wrote corporate communications director Tad Druart, "after electronically compromising the password of a Convio employee...We also notified our clients in less than 48 hours after identifying and shutting down the breach on November 1, 2007."
"a malicious user"
Also known as Dracula. Crime solved.
Score: 0
|Wow, lets blame the software for the stolen password, that makes sense. I have never used the software mentioned in the article, but pretty much any software on any platform is "vulnerable" to this type of "attack". 'Apparently, an unauthorized user accessed the Red Cross database with a stolen employee password.' I suppose if that password was a hardcoded programmer backdoor, as was unclearly implied above, then is is a vulnerability in the software. I am just not sure if that was what the article was saying.
Score: 0
|Uh Oh! I always cringe when I read about a non-profit organization getting hacked or having a hard drive or notebook stolen! :( Since no SSN or bank information was taken, a bit of spam is much better than a stolen identity.
Score: 0
|And this is a surprise? Win2003Server can be hacked by anyone with a brain and some ambition.
Score: 0
|Convio also serves TechSoup, which provides very-low cost software to non-profits (like SBS 2003 Premium for $60). I received an email from TechSoup telling me about the situation and that email addresses for the mailing lists(and the passwords used to manage them) were stolen. http://blog.techsoup.org/node/188
Score: 0
|