Goodwill discloses data breach on its ShopGoodwill platform

Goodwill discloses data breach on its ShopGoodwill platform

Image: Ryan Stone

American nonprofit Goodwill has disclosed a data breach that affected the accounts of customers using its e-commerce auction platform.

ShopGoodwill’s Vice President Ryan Smith said in data breach notification letters sent to impacted individuals that some of their personal contact information was exposed due to a site vulnerability.

Smith added that no payment information was exposed in the incident because ShopGoodwill does not store such data on its servers.

“We were recently alerted to an issue on our website which resulted in the exposure of some of your personal contact information to an unauthorized third party. This contact information includes your first and last name, email address, phone number, and mailing address,” Smith explained.

“No payment card information was exposed; ShopGoodwill does not store payment card information. While the third party accessed buyer contact information, they did not access your ShopGoodwill account.”

The nonprofit has fixed the ShopGoodwill vulnerability that led to the personal contact information exposure.

ShopGoodwill data breach
ShopGoodwill data breach notification letter (Troy Hunt)

“ShopGoodwill is committed to the security of your personal information and we apologize for any frustration or concern this incident may cause,” Smith added.

“If we learn of any additional relevant information, we will contact you immediately. If you have a question that has not been addressed in this communication, please email [email protected]

Goodwill has served over 25 million people with disabilities or disadvantages worldwide in 2019 and helped more than 230,000 individuals train to find a job in banking, IT, and health care.

The nonprofit funds itself by selling donated clothing and household goods via a large network of thousands of retail thrift stores around the world and on its online auction site.

A Goodwill spokesperson was not available for comment when contacted by BleepingComputer earlier today.