[BreachExchange] Over Three Million US Drivers Exposed in Data Breach

Destry Winant destry at riskbasedsecurity.com
Fri Feb 5 10:59:10 EST 2021


https://www.infosecurity-magazine.com/news/over-three-million-us-drivers/

Over three million customers of a US car company have had their
details compromised after a cyber-criminal posted them to a dark web
forum, according to Risk Based Security.

The security vendor spotted multiple databases uploaded to a hacking
forum on January 4 this year, although the data dump apparently took
place on December 19 2020.

It traced them back to DriveSure, an Illinois-based business owned by
car dealership service provider Krex. Its website explains that the
firm helps its clients to build strong customer relationships to
encourage drivers back to dealerships for vehicle service and
unplanned repairs.

On discovering the forum post, Risk Based Security dug deeper to
validate the data from multiple databases. This included names, home
and email addresses, phone numbers, car and damage details, text and
email messages with dealerships, and over 93,000 bcrypt hashed
passwords.

Although stronger than SHA1 and MD5, bcrypt could still be
brute-forced if password strength is poor, said Risk Based Security.

The range of data exposed by the attacker appeared to be extensive.

“One leaked folder totalled 22GB and included the company’s MySQL
databases, exposing 91 sensitive databases. The databases range from
detailed dealership and inventory information, revenue data, reports,
claims,and client data,” Risk Based Security explained.

“Separately, the second compromised folder contained 11,474 files in
105 folders and amassed to 5.93GB. Self-identified as ‘parser files,’
they appear to be logs and backups of their databases and contain the
same information listed in the previously mentioned SQL databases,
adding to the trove of data.”

A third folder contained a 1.5GB customer SQL database with nearly 3.3
million email addresses, including almost 16,000 .mil and .gov
addresses, as well as over 5000 linked to S&P 100 companies, the
vendor claimed.

“The information leaked in these databases is prime for exploitation
by threat actors, and in particular for insurance scams. Criminals can
use personally identifiable information, damage claims, extended car
details and dealer and warranty information to target insurance
companies and policyholders,” it concluded.

“Moreover, user credentials are used by threat actors to break into
other valuable platforms such as bank accounts, personal email
accounts and corporate systems. The diverse set of user data can also
be used to guess and crack security questions often used by companies
to reset passwords. Commercial email addresses can even be targets for
spear-phishing or extortion.”

DriveSure responded promptly to Risk Based Security and reportedly
said it is investigating the incident.


More information about the BreachExchange mailing list