Author: Catalin Cimpanu / Source: BleepingComputer
For 137 days now, a yet to be identified company has left a database containing over 10 million Vehicle Identification Numbers (VINs) exposed online with no authentication.
This means that anyone who knows what to look for can mass-scan the Internet and download loads of sensitive information without any restriction.
Discovered by researchers from the Kromtech Security Research Center, the company’s experts believe the database was compiled for marketing purposes.
Database leaks user PII, car VINs, sales data, more
Based on the data contained within the exposed database, researchers believe the DB belongs to one or more US-based dealerships.
The database’s content is organized into three main sections, each holding information on customers, cars, and sales details.
For example, the database tables pertaining to customer info holds details such as full name, address, mobile/home/work phones, email, date of birth, gender, and the number of children over 12 years old.
The database table holding vehicle information includes a car’s Vehicle Identification Number (VIN), model, model year, assigned sales representative name, mileage, and more.
The last part, the one holding info sales pitches includes details such as VIN, mileage odometer, sales gross, pay type, monthly payment amount, purchase price, and payment type (cash, bank, card).
Besides exposing customer PII (Personally Identifiable Information) that could be used in online fraud and identity theft, the database, if discovered by other threat actors, will cause lots of more problematic issues.
VINs could be used in mass car cloning operation
Believe it or not, the most sought-after information exposed in the database is the VINs, a serial number unique to each vehicle.
For the last decade, car thieves have been using stolen VIN numbers to pass stolen cars as legitimate. Below is the…
Click here to read more
