A massive database leak left sensitive and personal information of 10 million car owners in the US exposed to the public. Security researchers found an unprotected database containing data from various US-based auto dealerships leaking critical and sensitive information, including names, addresses, home and work phone numbers, date of birth, gender and children over the age of 12.
The leak was discovered by researchers at Kromtech Security, who said that the leaked data also included details of vehicles owned, Vehicle Identification Number (VIN), model, model year, sales rep name and mileage. Besides, the leaked data had sales details including vehicles' mileage odometer, pay type, monthly payment amount and more.
"Sophisticated criminals have now created a way to combine traditional offline crimes like stealing cars and technology," Kromtech researcher Bob Diachenko wrote in a report detailing the leak. "Criminals are now using leaked or hacked data to obtain unique identifiers for a vehicle and then 'cloning' a VIN to make a stolen car appear to be perfectly legal."
The leaked data did not include car owners' card data, Diachenko told IBTimes UK. However, the researcher said that "to some extent" criminals could use the exposed data to perpetuate identity fraud.
The security expert also explained how VIN cloning has also become the go-to technique for car thieves. VIN cloning involves criminals scoping out car dealerships, looking for a car with the exact model, make and sometimes even colour, as a stolen car. Once found, car thieves note down the specific car's VIN, which they then replicate and place onto the stolen car.
"One final step—the thieves use a little forgery to get a real title or other ownership documents from the motor vehicle office in the neighboring state" Diachenko told us. "Then, it's no problem to sell the vehicle to an unsuspecting victim for nearly full price. And since it's legally registered and not reported stolen, it's nearly untraceable."
Diachenko referred to a recent massive car hack and theft incident, which saw members of a Tijuana motorcycle club steal 150 Jeep Wranglers. The researcher said that in this case, the car thieves "used stolen VIN numbers to steal the cars. Using a compromised database of VINs for Jeep Wranglers, these bikers were able to create duplicate keys to gain access to the Jeeps they targeted".
Coincidentally, the leaked data also includes unique VINs of 16,522 Jeep Wranglers. However, VIN numbers alone may not hold much value. "Of course, having VIN alone does not mean one has control over your vehicle, but in combination with other information, such as sales and personal details, that potentially could hurt you," Diachenko said.
The leaked data has been online for 137 days. The identity of the owner of the unsecured database still remains a mystery.
"This leak is a warning notice to Auto Dealerships to do more to protect not just their customer data, but also details about the cars they sell," Diachenko added.