As I say, I think this is a pretty big security story, but I have not seen a single outlet online reporting on this yet. I’m not sure why that is, but here I am today to report on it, and I can report on it with some degree of certainty, because corporatereport.com was one of those 46,000-plus websites that have been affected by this. What am I talking about? Well, specifically, last Friday, I updated the GiveWP plugin that was being used on corporatereport.com, and from that point, until I found the problem and deactivated the plugin yesterday, in that time, apparently, GiveWP was printing the email addresses of corporatereport donors to the source code of the website.

Now, this wasn’t visible, you wouldn’t see it if you went to corporatereport.com, but it was in the code of the website, and I can confirm that the email addresses were snarfed up by spambots and added to spam lists. So, this is a major security flaw, and as I say, it’s not just the corporate report that has been affected by this, although it has been, it is something on the order of 46,000 websites. At least, there is a site that I found that tracked the number of GiveWP installations, and found 46,000 installations. Maybe they have not all updated to 4.6 yet, and for the vanishingly small percentage of the audience who might happen to be webmasters, who happen to be running that plugin, please do not update to 4.6, and please, please, if you are at all thinking about it, please deactivate the plugin entirely.

I think there are serious questions and concerns about this. First and foremost, because my webmaster, Harley at ExpandDesigns, has contacted GiveWP about this major ongoing security flaw that I can confirm is affecting multiple websites. I’ve checked some of them myself, and the email addresses are currently being exposed, and GiveWP, in the 24 hours since they’ve been contacted, as I’m reporting this on the morning of Wednesday, July 30, Japan time, they still have not even responded. So… Update! So, in between the time that I recorded this video and the time that Brock is editing it, it seems that GiveWP has responded with version 4.6.1 of their plugin, which, if you go to the WordPress developer page, you can scroll down and see that, oh, in the changelog, don’t worry guys, they have addressed an issue with donor information visibility.

So, I guess it’s all patched up now, no problem, they just exposed, however many hundreds of thousands or maybe millions of email addresses, but it’s taken care of now, so don’t worry about it. And continue to use GiveWP, guys. I don’t know about you, but personally, GiveWP has been deactivated, I will never, ever, ever use that plugin ever again. So, that being what it is, let’s get back to the real point here. I don’t know what’s going on, and again, I literally have not seen this story being reported anywhere, but I know it has happened and it has affected a number of websites.

Now, first of all, with regards to the corporate report, some corporate report members’ email addresses and usernames were exposed. No passwords, no other information of any sort, just the email addresses and usernames. But that is still a significant privacy breach and something to take very seriously. Having said that, it was only the people who have signed up via the corporate report membership form, the membership signup form on corporatereport.com slash members for the past year and a half. Those members have been affected. If you signed up originally before that membership signup form, any time before 2024, or if you signed up via Substack or P.O.

Box or Crypto or anything like that, your email address was not exposed. But if you signed up via that signup form any time in the past year and a half, the email address was publicly available at least for some amount of time. And as I say, I know that it was snarfed up by spam bots and added two spam lists. So again, a serious security issue. I take it extremely seriously. Privacy of corporate report members is a number one priority. And that is exactly why I’ve implemented a new security protocol where I will be checking after proactively checking after every single update to the website to make sure that this type of data leak does not happen again.

This is an incredibly important and serious thing. And my sincere apologies that this happened at all. And I will obviously be following this story and hopefully reporting more on it as literally any other internet security, data security website on the planet starts noticing that this has happened. In the meantime, please let’s start raising awareness of this to other webmasters who might unwittingly be exposing the email addresses of some of their donors. So having said that, I will be I am in the process right now of personally emailing every single email address that was exposed to let them know about this problem.

Hopefully that this won’t be ironically put in people’s spam folders and they will actually get this email in their inbox. But if you are a corporate report member and you have any questions about this or you are wondering was my email address on the list, I can confirm that or disconfirm that for you. So please get in touch with me. I will be happy to answer any questions about that. Having said all of that, once again, no passwords or other info was exposed here. But it is always a good idea to keep passwords updated and changed from time to time, especially if you have an easily guessable password.

If your email password is easily guessable, please do go ahead and change it because who knows some spammer at the very least has that email address and who knows what they’re going to try to do with that information. So please keep your passwords changed and up to date and hopefully stronger than password. Do not use that as your password. Having said that again, anyone who happens to be running this plugin or knows a website that is running this plugin, please do not update to 4.6. Please consider deactivating this plugin altogether. I think it is an ongoing security concern and the fact that they haven’t even responded to this concern in 24 hours clearly shows something is incredibly wrong here.

But thirdly, there is a teachable moment in all of this, an interesting teachable moment. The question is, how did I find out about this problem so quickly? When again, it’s not visible, you won’t see any of these email addresses on site. You have to be looking specifically for them in the code of the site. So how did I even find out about this? Because of the diligence of some of the corporate report members who use site-specific email proxy addresses to sign up for services. For people who don’t know about this concept, when you sign up for some specific newsletter or membership or what have you online, you can create a proxy email address.

For example, if you’re signing up for a corporate report membership, you would create corporatereport.com or whatever it is, and that will direct email to your real email address. And once you do that, when you start getting spam emails, you will know because it is directed to, for example, corporatereport.com. You will know, oh, there has been some sort of data leak from corporatereport.com or corporatereport has sold my email address or whatever the case may be. I can assure you, I don’t do that. But in this case, people started to receive spam emails to their corporate report specific site email proxy addresses that they have never used anywhere else for any other service.

So they knew that this data was somehow or other coming from corporatereport.com. They contacted me and I was able to find the problem and deactivate the plugin. So that is a virtuous circle. That is a great idea for, I think, everyone to start implementing. So you better believe I will be doing a solutions watch on that particular idea in the very near future to show people how exactly how to do that and encourage people to do that. I think it’s a great idea just generally speaking. And also it has the added bonus that once you start receiving spam and you know that that particular address has been added to a spam list, you just delete that email proxy and you cut off the spam, right? And you can create a new email proxy and use that for a different service or what have you.

Anyway, that’s a great idea. And of course, it was because of that, because several corporate report members were doing that and were able to inform me that they were getting spam, that I was able to track down the problem. So there’s something good to come out of this. Another, I suppose, good thing that comes out of this bad thing that happened is that it is yet another reminder that it is always a good idea to salt your data. Why give any website, even the corporate report or anyone else, why give them your real name? Why give them your real email address if you don’t have to? Why give them specific information? Make something up.

Oh yeah, my first name is Joey Jojo, Joe Shabadenu, of course, whatever. Again, salt your data. If you don’t know about that concept, I will include the Solutions Watch episode I did on that a couple of years ago in the show notes. So you can re-familiarize yourself with that concept. But all of this, of course, is just another good reminder that everything that takes place online is putting information and data out into the great unknown maw of things. It’s part of the data beast that is being scraped constantly by spam bots and everything else at all times.

And it’s just another good reason not to put our entire lives and identities into these types of systems. But don’t worry, I’m sure they’ll come along with some digital ID solution to all of this. Don’t worry, once we get you to scan your eyeballs and fingerprints to get on the internet, we’ll take care of all of these types of issues, guys. I think that’s a false solution. I hope you do too. And I hope you were here for my continued reporting, not only on just the general development of digital ID, etc., but apparently on internet security issues where I am breaking a breaking news story.

As far as I know, again, the only outlet in the world that is so far reporting on this. Incredible stuff. I will keep you updated and informed. If you have, if you are a corporate report member and you have any questions about any of this, was I on the list? What happened? Anything at all, please do contact me. I will be happy to explain and answer any questions. Having said that, again, let’s all use this as a reminder about just general internet safety and data safety issues and how they develop all of the time. I will be keeping my eye on this story and I will let you know as updates happen.

At any rate, this is the bad news for today. James Corbett, corporatereport.com
[tr:trw].

See more of The Corbett Report on their Public Channel and the MPN The Corbett Report channel.