Attackers Snatch Member Data from 92 Nonprofits

Attackers steal passwords and accounts from 92 nonprofits by hacking the leading online marketing company for nonprofits.

Attackers have stolen passwords and accounts from 92 nonprofits by infiltrating systems at Convio, the leading online marketing company for nonprofits.

Affected nonprofit organizations include the American Museum of Natural History, Working Assets, CARE and Free Press.

According to a letter sent by Convio to one of the affected organizations, the e-mail addresses and member passwords were downloaded without authorization from 92 GetActive clients between Oct. 23 and Nov. 1. GetActive is an application that Convio acquired with the nonprofit eCRM software company, also named GetActive, in February.

The attacker or attackers had prepared to steal the same information from another 62 GetActive clients, but the attempt was foiled when Convio discovered the breach late in the day on Nov. 1.

"The attack was carried out by an outside party who temporarily gained limited access to our systems," the letter said. "As soon as this attack was discovered, we took immediate steps to correct the situation. We are confident that these steps have restored the security of our systems. We are also cooperating with federal authorities to investigate the illegal access and data theft."

According to Convio, no credit card or other personal data was lost in the breach, only e-mail addresses and passwords. A spokesperson for Convio told eWEEK that Convio doesnt store credit cards, although the legacy GetActive application does to some extent.

Convio is in the process of rewriting the functionality it gets from the GetActive application into a native version on its own system, he said. As that work continues, GetActive users have been migrating over to Convios native system, but given that no end of life date has been set for the GetActive platform, the migration is not forced, the spokesperson said.

Convio is recommending that its client organizations notify any constituents with user-created passwords that might have been disclosed. Some of those individuals might use the same e-mail address and password with multiple online service providers such as Yahoo or PayPal or even at banks or online merchants, any of which could open them up to compromise of those additional accounts. Individuals who are affected should change their passwords at such accounts as soon as possible.

Convio is also warning GetActive users to be on the alert regarding e-mail that appears to be from a brand name organization that urges recipients to visit a Web site to provide personal or financial information because an account may have been compromised or deactivated. Such e-mail would come from phishers running a scam, as legitimate businesses wouldnt ask for such information.

Convio has created a query within its dashboard that can be used to identify which members of an organizations list might be affected.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.