On May 22nd I discovered and reported a data exposure incident involving a religious website builder called “Clover Sites”. The non-password protected database contained 65,800 records and what appears to be all of Clover Site’s customer accounts past and present. The records were very detailed and included, customer names, billing info such as addresses and last 4 of credit card numbers. There were also detailed internal comments about calls, help requests, or if the customer was happy or unhappy.
“Clover Sites is a website creator that allows its clients to instantly create and manage websites and Clover Donations provides a simple way to accept donations online anytime and anywhere. It was created to give its users one of the best and front-end web presences available, combined with an un-intimidating content management system” According to their Crunchbase Profile
The following day on May 23rd, I noticed that the database was still publicly accessible and decided to call them by phone. To my surprise and shock the agent I spoke with told me “the manager would not speak with me and was aware of the situation that was already resolved”. The agent said that they were already notified by Bob Diachenko from Security Discovery roughly a month before my discovery.
At this point I assume there is a misunderstanding because I can see their customer files as I am talking with the agent. I ask again to speak with the manager and that I want to clarify the situation because the data is still open and again I get the same response. On May 24th I had a meeting with Bob Diachenko (who is Cyber Threa ..
Support the originator by clicking the read the rest link below.
