Bad news: 1-877-KARS4KIDS had a data breach. Worse news: now you’ll have that awful jingle stuck in your head all day.
The New Jersey-based charity has plagued the American airwaves for years with the “most hated” jingle to try to get consumers to trade in their car — for the kids! In return, you get to write-off the donation from your taxes, and you’re given a “holiday voucher” to sweeten the deal.
But a security lapse left thousands of those donation records exposed for anyone to find.
Bob Diachenko, Hacken.io’s director of cyber risk research, earlier this month found the company’s MongoDB database on a server, wide open and without a password.
The server contained 21,612 records and climbing — representing weeks’ worth of data, Diachenko told TechCrunch, prior to blogging his findings. The data included donor email addresses and donation receipts, which included customized links to a donor’s tax receipt. He also found credentials, which he said could have allowed a hacker to access far more sensitive data.
Yet it took Kars4Kids two days to pull the database offline after Diachenko warned of the data exposure, he said.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Diachenko said that Kars4Kids had told him that customers had been informed, but TechCrunch has found no evidence of the company’s claim.
Kars4Kids spokesperson Wendy Kirwan acknowledged the breach in an email Tuesday, adding that its “legal team advised that we are not, according to state law, obligated to inform the NJ Attorney General about the breach.”
It isn’t known how long the database was exposed, but Dianchenko said he wasn’t the first to discover the database. A note left in the database by a hacker claimed to have “downloaded and backed up;” the hacker demanded bitcoin in exchange for the data’s safe return.
The breach represents a portion — though not all — of the cars that Kars4Kids receives annually — reportedly tens of thousands each year. The nonprofit has been criticized over the handling of its finances, and currently has a “moderate concern” rating from independent evaluator Charity Navigator.
Gift Guide: The best security and privacy tech to keep your friends safe
