Over three million customers of a US car company have had their details compromised after a cyber-criminal posted them to a dark web forum, according to Risk Based Security.
The security vendor spotted multiple databases uploaded to a hacking forum on January 4 this year, although the data dump apparently took place on December 19 2020.
It traced them back to DriveSure, an Illinois-based business owned by car dealership service provider Krex. Its website explains that the firm helps its clients to build strong customer relationships to encourage drivers back to dealerships for vehicle service and unplanned repairs.
On discovering the forum post, Risk Based Security dug deeper to validate the data from multiple databases. This included names, home and email addresses, phone numbers, car and damage details, text and email messages with dealerships, and over 93,000 bcrypt hashed passwords.
Although stronger than SHA1 and MD5, bcrypt could still be brute-forced if password strength is poor, said Risk Based Security.
The range of data exposed by the attacker appeared to be extensive.
“One leaked folder totalled 22GB and included the company’s MySQL databases, exposing 91 sensitive databases. The databases range from detailed dealership and inventory information, revenue data, reports, claims,and client data,” Risk Based Security explained.
“Separately, the second compromised folder contained 11,474 files in 105 folders and amassed to 5.93GB. Self-identified as ‘parser files,’ they appear to be logs and backups of their databases and contain the same information listed in the previously mentioned SQL databases, adding to the trove of data.”
A third folder contained a 1.5GB customer SQL database with nearly 3.3 million email addresses, including almost 16,000 .mil and .gov addresses, as well as over 5000 linked to S&P 100 companies, the vendor claimed.
“The information leaked in these databases is prime for exploitation by threat actors, and in particular for insurance scams. Criminals can use personally identifiable information, damage claims, extended car details and dealer and warranty information to target insurance companies and policyholders,” it concluded.
“Moreover, user credentials are used by threat actors to break into other valuable platforms such as bank accounts, personal email accounts and corporate systems. The diverse set of user data can also be used to guess and crack security questions often used by companies to reset passwords. Commercial email addresses can even be targets for spear-phishing or extortion.”
DriveSure responded promptly to Risk Based Security and reportedly said it is investigating the incident.