Clovers often get to referred to as a sign of good luck, but that is not the case with a web hosting company who uses Clover in their name and a clover leaf in the branding, cloversites.com.

Cloversites has been leaking its customers details for at least 3 months now via a unsecured elastic search and on top of this they have ignored all my attempts to notify them of this issues. The leaking data is in total over 100,000 rows of data, with 24,000 unique emails and contains data for users full names, billing and contact addresses, contact telephone numbers, notes/tickets, basic payment information and which domain its all tied to.

Clover appears to offer special services to churches and that is very clear within one of the indices its leaking with most entities being a small church within united states. On Clovers website they claim to have over 10,000 clients all across the world, however from what i can see in the exposed data its US based clients that are effected. If by chance there is any European clients, thanks to the GDPR they will have to alert the ICO and all affected clients.

The discovery was made in early November 2018 and contact was right away after analyzing the content it was all to clear this was the data of a internal system used to maintain notes and actions taken against a clients account for cloversites.com. After trying to reach them via email i attempted to do this via private DM to the main clover twitter account since the support account for clover does not have 'open direct messages' which didn't go well as i still have not had any reply and the account has old tweets making me think they never even check or use twitter anymore. After some time i attempted to reach out to clover via twitter in a public tweet, this also has returned nothing at all. So far there has been over 5 attempts to notify them via twitter and 5 emails sent off, nothing has been done, due to this i will not be publishing any identifying information as it may lead to the discovery of the still live system.