Church website builder data leaks puts thousands of Christians at risk, security researcher says

The leak affected "internal memos and records, customer email communication, ports, pathways, and data storage information Server IP addresses.


A website builder service catering to churches and other religious institutions has been affected by a data leak that could potentially have a number of damaging consequences.

Website Planet reports that the problem affects Clover Sites, and that it's a second data leak in about as many months affecting the service providing software tools used to easily build websites.

The second discovery reveals that tens of thousands of members of the clergy and their congregation have had their sensitive personal data exposed in a thorough manner. This includes clients' phone numbers, billing dates, emails and addresses, last four digits of credit card numbers, as well as clergy and volunteers' full names.

source: Website Planet

As for Clover Sites itself, the leak affected “internal memos and records, customer email communication, ports, pathways, and data storage information Server IP addresses,” the report said.

This could have several consequences, Website Planet continues, such as identity theft that could lead to plain theft – if the leaked information were to be used by bad actors posing as a church and fraudulently collecting donations.

Another concern raised by the discovery is the fear that attackers or shooters motivated by a hatred of Christian churches, or by antisemitism – considering that synagogues are among the website builder's clients – could track down members of the clergy and volunteers thanks to their names and addresses being leaked, and do harm in the real world.

Clover Sites, on the other hand, could suffer financially if competing services decided to take advantage of the details of their business and customer data being exposed in this manner.

According to the report, the vulnerability originated from the website builder's lax security practices around passwords used for its cloud-hosted database. The company is not accredited by the Better Business Bureau and is currently not commenting on either of the two data leaks, although the first has been fixed, Website Planet said.

Clover Sites, who, according to their own website, service more than 10,000 clients, are also not at this point GDPR-compliant, although the company said they were working on it.

The report suggests that once the website builder reaches that goal, the data of their customers might become better protected.


Didi Rankovic

Didi Rankovic is an experienced online journalist, editor, and translator, with a career spanning over ten years writing for major a English-language website in Serbia, and previously working as translator for international organizations and peacekeepers in the Balkans. Rankovic is passionate about free and open source tech and is a head contributor for Reclaim The Net, focusing on lead stories. [email protected]