Thousands of user IDs stolen in Red Cross blood drive hack

Over a two-week period, over 278,000 e-mail addresses of Red Cross workers were swiped by a malicious user who found a back-door into a certain brand of non-profit fundraising software.

Convio Inc., an Austin, Texas-based software company that exclusively serves the needs of non-profit groups, admitted today that its GetActive software had been hacked and user data from 92 groups were stolen between October 23 and November 1.

Apparently, an unauthorized user accessed the Red Cross database with a stolen employee password. Fortunately, no Social Security numbers or bank account information was stolen, but the Red Cross confirmed that 278,000 of its e-mail addresses and an unspecified smaller number of passwords were pilfered.

The Red Cross was running a blood drive site on Convio's GetActive software platform.

Convio serves some of the largest American non-profit organizations with its online fundraising, advocacy, and e-mail marketing software. Some notable clients include Children's Cancer Research Fund, Easter Seals, and Paralyzed Veterans of America.

---

6:30 pm EST November 29, 2007 - A spokesperson for Convio which manufacturers the software at issue contacted BetaNews this afternoon to say that the e-mail IDs swiped from the Red Cross database belonged to newsletter subscribers, not Red Cross employees.

"The intruder hacked into the Convio system electronically and from a distance," wrote corporate communications director Tad Druart, "after electronically compromising the password of a Convio employee...We also notified our clients in less than 48 hours after identifying and shutting down the breach on November 1, 2007."