For 137 days now, a yet to be identified company has left a database containing over 10 million Vehicle Identification Numbers (VINs) exposed online with no authentication.
This means that anyone who knows what to look for can mass-scan the Internet and download loads of sensitive information without any restriction.
Discovered by researchers from the Kromtech Security Research Center, the company's experts believe the database was compiled for marketing purposes.
Based on the data contained within the exposed database, researchers believe the DB belongs to one or more US-based dealerships.
The database's content is organized into three main sections, each holding information on customers, cars, and sales details.
For example, the database tables pertaining to customer info holds details such as full name, address, mobile/home/work phones, email, date of birth, gender, and the number of children over 12 years old.
The database table holding vehicle information includes a car's Vehicle Identification Number (VIN), model, model year, assigned sales representative name, mileage, and more.
The last part, the one holding info sales pitches includes details such as VIN, mileage odometer, sales gross, pay type, monthly payment amount, purchase price, and payment type (cash, bank, card).
Besides exposing customer PII (Personally Identifiable Information) that could be used in online fraud and identity theft, the database, if discovered by other threat actors, will cause lots of more problematic issues.
Believe it or not, the most sought-after information exposed in the database is the VINs, a serial number unique to each vehicle.
For the last decade, car thieves have been using stolen VIN numbers to pass stolen cars as legitimate. Below is the FBI's explanation for this technique, called "car cloning."
Besides car cloning, VINs can also be used for other criminal operations. For example, last week, a motorcycle gang from Mexico known as the Hooligans have shown the world another way of using stolen VINs.
The group operated by initially obtaining the VIN of a car they wanted to steal. The group focused only on Jeep Wranglers.
After getting his VIN, the gang would illegally access a car dealership's proprietary database from where they'd steal two codes necessary to create replacement keys.
The gang would then use these secondary keys to open cars and drive off with people's cars in the middle of the night.
Compared to car cloning, this method is more complex, as it requires access to proprietary car key codes databases, but if an attacker finds 10 million VINs on the Internet than he's already halfway there.
Bob Diachenko, a member of the Kromtech team who discovered the database, has provided a copy of the exposed database to Have I Been Pwned (HIBP), a service that indexes leaked data sets.
HIBP is currently in the process of importing the leaked VIN database. Once the data has been added, US car owners can use Have I Been Pwned to search by their name or other details, and see if their car VIN was exposed via this database.
And since we're on the topic of car hacking, yesterday, security researcher Aaron Guzman presented a method of hacking Subaru cars. His work is detailed in an exclusive article on Data Breach Today.