Honda logo

Honda Car India has left the personal details of over 50,000 users exposed on two public Amazon S3 buckets, according to a report published today Kromtech Security.

The two AWS buckets contained the personal details of users who downloaded and installed Honda Connect, a mobile app developed by Honda Car India.

Honda Connect is your typical remote car management app, which allows users to interact with their Honda smart cars, but also to contract and interact with services provided by Honda Car India.

S3 buckets leaked names, passwords, car VINs, more

As such, across time, the app had collected and stored vasts amounts of personal data about Honda India's customers and their respective cars.

Honda leaky server

Bob Diachenko, the Kromtech security researcher who found the exposed S3 buckets and contacted Honda, says the servers contained the following types of user and car information:

User gender
Phone numbers for both users and their trusted contacts
Email addresses for both users and their trusted contacts
Account passwords
Car Connect IDs, and more

S3 buckets had been leaking for at least three months

But Diachenko wasn't the first to discover Honda India's S3 buckets. Diachenko says that when he came across the exposed buckets, they already contained a file named poc.txt with the following message.

Poc.txt left by Wiggins

This is an automated file created by a security researcher named Robbie Wiggins. For almost a year now, Wiggins has been scanning the Internet for AWS S3 buckets with incorrect permissions and leaving this message on unsecured servers. Wiggins has been doing this to warn server owners and urge them to secure servers before someone hijacks or ransoms their data.

Diachenko says the timestamp on Wiggins' file was February 28, 2018, three months and one day ago.

"Honda Car India didn't even notice that a security researcher added a note to their buckets," Diachenko noted. "There is no excuse for that, it clearly illustrates that they are simply running on auto-pilot with no monitoring at all."

The Kromtech researcher has, in the meantime, personally notified Honda Car India about their leaky S3 buckets, which are now secured. Nonetheless, the process wasn't easy. Diachenko told Bleeping Computer that it took almost two weeks to get in contact with the company and have it secure its users' data.

Related Articles:

Get The Pay What You Want: AWS Cloud Development Bundle Deal

Google+ Shutting Down After Bug Leaks Info of 500k Accounts

Telegram Leaks IP Addresses by Default When Initiating Calls

United Nations WordPress Site Exposes Thousands of Resumes

Database with 11 Million Email Records Exposed