Tech researchers have discovered another treasure trove for hackers online after a database of personally identifiable information of nearly 200 million car buyers was reportedly leaked by U.S. based marketing firm.
The trove was discovered by Jeremiah Fowler, who works as a researcher at SecurityDiscovery, who found that 413-gigabytes of personally identifiable information (PII) was leaked to a ElasticSearch database. Included in the data were the names, email addresses, home addresses and phone numbers of 198 million car buyers that had their details logged and stored in a plain-text database.
“Dealer Leads provides online marketing support in the form of prospective car buyers for dealerships around the US. It’s unknown how long the data was exposed for.”
Fowler explained that the IP addresses, ports, pathways and storage information were also left publicly accessible, meaning “that cyber-criminals could exploit to access deeper into the network,” he said. He spent days attempting to locate the owner of the database, researching its host server for a potential lead on its owner.
“Only by manually reviewing multiple domains did I discover that they all linked back to dealerleads.com,” Fowler said. “I was able to speak with the general sales manager who was concerned and professional with getting the information secured and public access was closed shortly after my notification by phone.”
According to reports, “Dealer Leads provides online marketing support in the form of prospective car buyers for dealerships around the US. It’s unknown how long the data was exposed for.”
“It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed.”
The recent discovery mirrors that of the Honda database that was found online by researchers that we reported on a few months back, as well as recent privacy leaks hosted on Elasticsearch like the Amazon Web Service leak, 8TB of leaked email metadata from one of China’s largest universities, due to security misconfigurations that were ultimately exploited.
The Dealer Leads database shines a light on just how essential it is to have proper and effective controls in place surrounding your organisation’s data, and the data that your organisation receives from customers. The implicit deal is that as the customer hands over this data, they’re entrusting you to keep it safe- so make sure your organisation has an effective information security management system in place to assure you aren’t existentially threatened by hackers if they do try to access your data.