Goodwill’s auction platform ShopGoodwill.com notified customers of a data breach this month, according to Bleeping Computer. It referenced a January 14th tweet by Troy Hunt, who tracks such things.
The tweet included an image of an (undated) letter from ShopGoodwill.com to customers informing them that some of their personal contact information was exposed to an unauthorized third party. “This contact information includes your first and last name, email address, phone number, and mailing address.” (See tweet below.)
The letter also said that while the third party accessed buyer contact information, “they did not access your ShopGoodwill account.”
Online news site The Nonprofit Times said it received confirmation from the organization that over 300,000 customers of ShopGoodwill.com were impacted by the data breach. “The data exposure impacted 14% of the total ShopGoodwill.com customer base,” the Nonprofit Times reported on Tuesday.
We sent an email inquiry to Goodwill seeking confirmation and more information about the breach. (See update below.)
According to the organization’s website, Goodwill served more than 25.7 million people in 2019, and over 242,000 people used Goodwill services to earn meaningful employment.
Update 1/20/22: A spokesperson for ShopGoodwill.com provided EcommerceBytes with the following statement:
“We were alerted to an issue on our website which resulted in the exposure to an unauthorized, unknown third party of personal information limited to: name, email, phone and home address.
“No payment information or highly sensitive personal information was exposed. ShopGoodwill.com accounts were not accessed. The issue was remediated within hours of detection and no customer data within our system is currently at risk.
“This data exposure event affected a small percentage of customers who shop on the online e-commerce platform ShopGoodwill.com. All impacted customers were notified directly.
“The incident did not affect customers or donors of other Goodwill members.
“We take this matter very seriously and we are working with qualified data security experts to mitigate risk of incidents like this happening in the future.”