Goodwill claims it was hit by data breach

Data Breach
(Image credit: Shutterstock)

American nonprofit Goodwill has suffered a data breach that is affecting the users of its ShopGoodwill.com e-commerce auction platform. 

Reports say the company’s platform has had an exploitable vulnerability which malicious actors abused to make away with the full names, email addresses, phone numbers, and mailing addresses of its users. 

It's not known exactly how many customers were affected by the breach, but GoodWill says it has patched up the vulnerability.

Making use of stolen data

In a notification letter, which the company’s Vice President Ryan Smith sent out to affected customers, it was said that cyberattackers did not access any accounts, and that no financial data was taken. 

"We were recently alerted to an issue on our website which resulted in the exposure of some of your personal contact information to an unauthorized third party,” Smith said. 

“No payment card information was exposed; ShopGoodwill does not store payment card information. While the third party accessed buyer contact information, they did not access your ShopGoodwill account."

While stealing names, email addresses, phone numbers and mailing addresses may not seem like much, for cybercrooks - it’s plenty. This information can be used in identity theft, allowing malicious actors to pose online as their victims, and to either steal more sensitive data elsewhere, or to use this information in a phishing attack. 

This data is also useful in password cracking, as many people use things like birth dates, or physical addresses, as their passwords. It can be also used in credential stuffing, as consumers often use the same login data across numerous services.

The nonprofit helps people with disabilities worldwide and has, according to BleepingComputer, helped 230,000 individuals find a job in 2019. Its funding comes from the sales of donated goods, which can be purchased either in thrift shops around the world, or on the ShopGoodwill.com online auction site.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.