[BreachExchange] 198 Million Car-Buyer Records Exposed Online for All to See

Destry Winant destry at riskbasedsecurity.com
Fri Sep 13 10:17:48 EDT 2019


An ElasticSearch DB belonging to Dealer Leads exposed a raft of
information collected by “research” websites aimed at prospective car

Over 198 million records containing information on prospective car
buyers, including loan and finance data, vehicle information and IP
addresses for website visitors, has been found exposed on the internet
for anyone to see.

The non-password protected Elasticsearch database belonged to Dealer
Leads, which is a company that gathers information on prospective
buyers via a network of SEO-optimized, targeted websites. According to
Jeremiah Fowler, senior security researcher at Security Discovery, the
websites all provide car-buying research information and classified
ads for visitors. They collect this info and send it on to franchise
and independent car dealerships to be used as sales leads. The exposed
database in total contained 413GB of data.

The information included records with names, email addresses, phone
numbers, physical addresses, IP addresses and other sensitive or
identifiable information exposed to the public internet in plain text,
according to Fowler. In addition, there were “ports, pathways, and
storage info that cybercriminals could exploit to access deeper into
the network,” the researcher said.

He added that the business model used by Dealer Leads is not
particularly transparent. “When contacting a local dealership in their
hometown about a specific automobile they may not have known that the
website actually collected their data as a lead or that this data
could potentially be stored, saved, sold or shared via DealerLeads,”
he noted.

After discovering the database in mid-August, Fowler traced the
information back to multiple website domains.

“Upon further investigation I noticed that many of the websites
appeared to a mix of lead-generation sites and smaller possibly
independent dealerships,” he said in his writeup posted on Wednesday.
“I called several of the websites found inside the database to ask
where they purchased their leads and could never get a straight
answer, despite informing them of a potential data breach. I spent
several days trying to identify the owner of the database and there
was no clear indication in the millions of records.”

Eventually, in manually reviewing multiple domains, Fowler found that
they all linked back to dealerleads[.]com.

California-based Dealer Leads closed off public access to the
database, which was set to be open and visible in any browser without
administrative credentials, shortly after Fowler called the company on
August 20. However, the data set appeared to have been floating around
for some time before that. It’s also unclear, Fowler said, if Dealer
Leads informed the car dealerships with which it works, or the
impacted website visitors themselves.

“Unfortunately, the data was exposed for an undetermined length of
time and it is unclear who else may have had access to the millions of
records that were publicly exposed,” said Fowler. “This is another
wake up call for any organization that collects and stores large
amounts of data. It is crucial to ensure that the proper safeguards
are in place. Data protection and privacy are now becoming a core part
of the business landscape and there is a growing shift where more and
more people realize that customer data is just as important as the
products or services.”

The incident is just the latest in a string of cloud storage
misconfigurations that have been discovered exposing sensitive
information to the open internet. The most recent high-profile case
was of course Capital One, where a cybercriminal accessed the data of
more than 100 million people in the U.S. and 6 million in Canada.
Thanks to a cloud misconfiguration, the attacker was able to access to
credit applications, Social Security numbers and bank account numbers
in one of the biggest data breaches to ever hit a financial services
company — putting it in the same league in terms of size as the
Equifax incident of 2017.

“Another week, another ElasticSearch misconfigured server,” said Anna
Russell, vice president at comforte AG, via email. “It is clear that
those that choose to use cloud-based databases must perform necessary
due diligence to configure and secure every corner of the system
properly. Sadly, with the recent wave of ElasticSearch, MongoDB, Big
Data, and other Open Source breaches, it does look like security is
not being taken seriously enough. Just because a product is freely
available and highly scalable doesn’t mean you can skip the basic
security recommendations and configurations. Beyond ensuring that
products and services are correctly deployed and maintained by
competent, experienced staff, organizations must also secure their
cloud-based data by adopting a data-centric security model that
protects the data at rest, in motion, and in use – even if a properly
configured system is compromised.”

Dan Tuchler, CMO at SecurityFirst, pointed out that Elastic has
recommendations on how to secure its servers: Secure authenticated
sign-on, managed users and roles, encryption, layered security and
audit logging.

“These steps should apply to any server,” he noted.

More information about the BreachExchange mailing list