Distributed Email of Secrets

Share this post
Limited distribution: GiveSendGo part II (2.5 GB)
ddosecrets.substack.com

Limited distribution: GiveSendGo part II (2.5 GB)

Photos and scans of IDs, passports, visas, Driver's Licenses, and military ID cards of Givesendgo fundraisers that were left on an unsecured Amazon S3 bucket

Lorax B. Horne
Feb 11CommentShare

Today we are listing over 1,000 files consisting of identification cards (including driver's licenses, passports, military IDs, visas, birth certificates, insurance cards and more) uploaded onto GiveSendGo's publicly accessible Amazon-hosted S3 bucket in a sub-directory apparently labeled "legacy/stripe_document". The IDs seem to belong to crowdfund campaign creators, rather than their donors.

The Daily Dot reports:

After being alerted to the security lapse by TechCrunch, GiveSendGo appeared to fix the issue. But the Daily Dot learned on Thursday that sensitive data is still accessible.
A source with access to the data explained to the Daily Dot that GiveSendGo appeared to only remove the ability to view an index of the storage bucket’s contents but did not disable direct access to the files themselves.


As the majority of the files on the Amazon S3 bucket are merely part of GiveSendGo's website, we are excluding them from the release. A tiny number of files appear unrelated to the others (such as a lighthouse or videogame screenshot), but are included for completeness for researchers wishing to look into how GiveSendGo functions.

As this data consists largely of PII, it is limited distribution and available only upon request. Journalists and researchers with a record of public interest publishing should write to us with a research proposal to request access to this data.

It is important to note this data is unrelated to the February 2021 breach of GiveSendGo. Last year’s release included donor detail linking names to individual amounts and donation pages:

broken down by campaign and includes names, donation amounts, comments and email addresses. The last date in the cache appears to be donations for February 21, 2021.

Last year’s release is also limited distribution, due to containing PII for individuals unrelated to extremism or wrongdoing.

More info at:

February 2021 GiveSendGo wiki page and the
February 2022 GiveSendGo 2.0 wiki page.

CommentCommentShareShare

Create your profile

0 subscriptions will be displayed on your profile (edit)

Skip for now

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.

TopNewCommunity

No posts

Ready for more?

© 2022 Distributed Denial of Secrets
Privacy ∙ Terms ∙ Collection notice
Publish on Substack
Substack is the home for great writing

Our use of cookies

We use necessary cookies to make our site work. We also set performance and functionality cookies that help us make improvements by measuring traffic on our site. For more detailed information about the cookies we use, please see our privacy policy. ✖