The New Jersey-based charity has plagued the American airwaves for years with the “most hated” jingle to try to get consumers to trade in their car — for the kids! But a security lapse left thousands of those donation records exposed for anyone to find.

Bob Diachenko, Hacken.io’s director of cyber risk research, earlier this month found the company’s MongoDB database on a server, wide open and without a password.