VIN Leak: 10M Auto Records, Personal Details Leak Online
An unprotected database containing information about more than 10 million automobiles sold in the United States, including vehicle identification numbers (VIN) and personal information about the owners, has been discovered by security searchers.
Kromtech Security, the makers of MacKeeper, first found the database and published a blog post about its existence. Some of the information within the database was verified by Gizmodo.
Read: HospitalGown Database Leak: Enterprise Apps Found Leaking Data On Back End Servers
The database contains a considerable amount of personal information associated with the purchasers of vehicles, including full names, home addresses, phone numbers and birth dates. The data on the cars include the VIN, model, year and mileage.
The database also includes details about the sale of the car, including the purchase price of each vehicle and how much the owner pays each month.
The source of the database is unclear though Kromtech researchers have speculated it was created for marketing purposes. The information appears to have been collected from a number of auto dealerships across the U.S.
Dealerships affected by this leak include Acura, BMW, Chrysler, Honda, Hyundai, Infiniti, Jeep, Kia, Mini, Mitsubishi, Nissan, Porsche and Toyota.
Read: Major Security Breach: More Than One Billion Emails Exposed By Spammers, Researchers Say
The discovery of the database comes less than a week after federal authorities announced the indictment of several members of the Tijuana-based Hooligans Motorcycle Club, which stole $4.5 million worth of Jeeps in San Diego County after gaining access to a manufacturer’s key database and hacking the vehicles’ onboard computers.
More than 16,500 Jeep Wranglers are listed in the database, which has been exposed online for several months and has even been updated during that time.
It is not clear there is any connection between the Hooligans Motorcycle Club theft ring and the unsecured database though it is believed the information in the database alone likely would not be enough to carry out such a scheme. The data could have value on the black market and for car thieves who want to mask the identity of a stolen vehicle.
“With such a large number of automobile VINs exposed we are warning car dealerships to take every possible measure to secure their data,” Bob Diachenko, chief communication officer of the Kromtech Security Research Center, wrote. “Cyber criminals are becoming more creative by the day and to see the crossover from online crime to stealing cars is a disturbing trend.”
The lack of security for back-end databases is a growing problem. Mobile security firm Appthority pointed out the issue of unsecured databases exposing information from users of enterprise apps in a report earlier this year. The firm refers to the problem as “HospitalGown” as the front end is covered while the back-end is left exposed.
Assuming the database was used for marketing purposes, it is not the first time such a list has leaked. Earlier this year, more than 1 billion emails and personal information associated with those accounts collected by a marketing spam operation were discovered online.
© Copyright IBTimes 2024. All rights reserved.