[BreachExchange] Personal Data of 3 Million+ People Exposed In Drivesure Hack

[Destry Winant]

https://www.riskbasedsecurity.com/2021/02/01/personal-data-of-3-million-people-exposed-in-drivesure-hack/

The Cyber Risk Analytics research team at Risk Based Security captures and
analyzes thousands of data breaches annually. When it comes to breaches,
larger or well-known organizations are usually given the most attention due
to the potential damage a breach can cause. However, even data from a small
company can have a seemingly far-reaching impact.

RELATED: New Research: No. of Records Exposed Increased 141% in 2020
<https://www.riskbasedsecurity.com/2021/01/21/new-research-no-of-records-exposed-increased-141-in-2020/>

What Does Drivesure Do?

Drivesure is a car dealership service provider focused on employee training
programs and customer retention. The Illinois-based company, also known as
Krex Inc, has been operating since 1947. According to their website:

“DriveSure makes it easy for new car dealerships to offer unbeatable
vehicle maintenance and bring customers back for service, tires, and
unplanned repairs.”

By nature of the business and the company’s mission driving strong customer
focus, Drivesure maintains a large amount of detailed client data. Car
dealerships provide a variety of information on customer vehicles and
history, making Drivesure a target for threat actors looking to pilfer
valuable data.

The Breach

On January 4th, 2021 our research team uncovered a threat actor posting
multiple databases  claiming to originate from Drivesure.com and
Krexinc.com. The databases were shared on a popular English-speaking dark
web hacking forum, and according to the threat actor, the data was dumped
on December 19th, 2020.

In a lengthy post to prove the databases’ high quality, the threat actor
detailed the leaked files and the user information. Typically, hackers only
share valuable segments or trimmed down versions of user databases, but in
this case, numerous backend files and folders were leaked. One of our
researchers concluded that the data appears to be valid after conducting
research on the compromised data.

One leaked folder totalled 22 GB and included the company’s MySQL
databases, exposing 91 sensitive databases. The databases range from
detailed dealership and inventory information, revenue data, reports,
claims, and client data.

Separately, the second compromised folder contained 11,474 files in 105
folders and amassed to 5.93 GB. Self identified as “parser files”, they
appear to be logs and backups of their databases and contain the same
information listed in the previously mentioned SQL databases, adding to the
trove of data.

Examining the files more closely reveals extensive types of user data
exposed:

Names
Addresses
Phone numbers
Email addresses
IP addresses
Automobile details including car makes and models
VIN numbers
Car service records and car dealership records
Damage claims
93,063 bcrypt hashed passwords
Text and email messages with clients

Bcrypt is considered to be a strong encryption technique for passwords
relative to older methods such as MD5 and SHA1 encryption, however they are
still vulnerable to brute-force attacks depending on the password strength.
Hackers can also use previous data breaches or other leaked user data to
attempt to guess and decrypt passwords.

Customer Email Address Domain Breakdown

One of the leaked files consists of a 1.5 GB customer SQL database. Risk
Based Security researchers found the breached database to contain 3,283,725
unique user email addresses.

An analysis of the email address domains provides a clearer picture of
potentially valuable email addresses that hackers may attempt to exploit.
In the database we found 15,905 email addresses linked to an EDU account,
as well as 2,896 .mil and 1,725 .gov email address domains.

It is common for people to use their professional email address when
registering for personal services, though the number of government
affiliated email addresses is always concerning.

Furthermore, there were 5,392 email addresses linked to S&P 100 companies,
naturally highly sought after credentials. Using a list of 25 top
cybersecurity and technology companies to narrow our focus, we also found
413 email addresses linked to these types of organizations. This subset of
email addresses potentially pose the highest risk to companies, as they are
popular vendors among most organizations.

While only a small subset of users set an online password, the email
addresses combined with the lengthy personal information can pose a severe
risk to affected organizations and users.

Increased Risk for Scams

The information leaked in these databases is prime for exploitation by
threat actors, and in particular for insurance scams. Criminals can use
 personally identifiable information, damage claims, extended car details,
and dealer and warranty information to target insurance companies and
policyholders.

Moreover, user credentials are used by threat actors to break into other
valuable platforms such as bank accounts, personal email accounts, and
corporate systems. The diverse set of user data can also be used to guess
and crack security questions often used by companies to reset passwords.
Commercial email addresses can even be targets for spear-phishing or
extortion.

The information can also be used to put together a dossier on individuals,
which are sold on dark web marketplaces at a premium if there is enough
recent data to be exploited.

Senior leadership from Drivesure responded to Risk Based Security in a very
timely manner and has indicated that they are aware and have investigated
the event.

Cyber Risk Analytics

Interested in more data breach information? Transform headlines into
actionable intelligence with Cyber Risk Analytics.
<https://pages.riskbasedsecurity.com/cyber-risk-analytics>

Cyber Risk Analytics is the standard for actionable data breach
intelligence, risk ratings and supply chain monitoring. Avoid costly risk
assessments while acting quickly to proactively protect your most critical
information assets. Don’t let security gaps of other organizations affect
you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210201/21fb4048/attachment.html>