A huge database leak left sensitive and private details of 10 million car owners in the US exposed to the general public. Security researchers discovered an unprotected database including data from numerous US-based auto dealerships leaking important and sensitive information, such as names, addresses, home and work phone numbers, date of birth, gender and children above the age of 12.
The leak was found by researchers at Kromtech Security, who informed that the leaked information also consisted details of automobiles owned, Vehicle Identification Number (VIN), model, model year, sales rep name and mileage. In addition, the leaked information had sales details consisting of automobiles’ mileage odometer, pay type, month-to-month payment amount and more.
“Advanced criminals have now made a way to integrate traditional offline criminal activities like stealing automobiles and technology,” Kromtech researcher Bob Diachenko wrote in a report detailing the leak. “Criminals are now utilizing leaked or hacked information to get special identifiers for a vehicle then ‘cloning’ a VIN to make a stolen vehicle seem perfectly legal.”
The leaked information did not include car owners’ card data, Diachenko informed IBTimes UK. The researcher stated that “to some extent” criminals might use the exposed information to perpetuate identity scams.
The security professional also described how VIN cloning has likewise become the go-to method for vehicle burglars. VIN cloning involves criminals scoping out vehicle dealers, searching for a vehicle with the exact model, make and in some cases even color, as a stolen vehicle. Once found, automobile thieves note down the particular automobile’s VIN, which they then duplicate and put onto the stolen car.
“One final step– the burglars use a little forgery to obtain a genuine title or other ownership documents from the motor vehicle workplace in the nearby state”, Diachenko informed IBTimes. “Then, it’s no problem to offer the car to an unwary victim for almost complete price. And since it’s lawfully registered and not reported stolen, it’s almost untraceable.”
Diachenko described a recent enormous vehicle hack and theft incident, which saw individuals belonging to a Tijuana bike gang steal 150 Jeep Wranglers. The researcher stated that in this case, the vehicle burglars “used taken VIN numbers to steal the cars. Utilizing a jeopardized database of VINs for Jeep Wranglers, these bikers were able to create duplicate keys to access to the Jeeps they targeted”.
Coincidentally, the leaked information also consists of unique VINs of an estimated 16,522 Jeep Wranglers. Although VIN numbers alone may not hold much worth. “Obviously, having VIN alone does not mean one has control over your vehicle, but in combination with other information, such as sales and personal details, that possibly could hurt you,” Diachenko stated
The leaked information has actually been online for 137 days. The identity of the owner of the unsecured database continues to be a mystery.