A massive data breach has compromised the records of 198 million car buyers, such as full names, phone numbers, home addresses, and IP addresses.
Jeremiah Fowler, a senior security researcher at Security Discovery, discovered the breach after coming across the same 413GB dataset multiple times, as reported by PYMNTS.com.
“It was clear that this was a compilation of potential car buyers wanting more information,” Fowler said, telling Forbes that the data included “loan and finance inquiries, vehicles that were for sale, log data with IP addresses of visitors, and more.”
Fowler eventually figured out that all the website domains linked back to dealerleads.com, which describes itself as “the highest converting vendor in the automotive industry four years running according to Google Analytics!”
According to its website, DealerLeads collects and purchases “popular automobile relevant domains based on search terms used by car buyers,” adding “we have turned these frequently used search terms into a variety of websites SEO’d to match those search terms.”
The unsecured database held 198 million records, including names, email addresses, phone numbers, street addresses and “other sensitive or identifiable information exposed to the public internet in plain text,” noted Fowler, who added that data, such as IP addresses, ports, pathways, and storage info, could be used to further navigate the network.
While Fowler notified DealerLeads via email about the breach on Aug. 19, the database was still online the next day. So, he called the company, and public access was closed shortly after that notification.
Fowler said that it was “unclear if DealerLeads has notified individuals, dealerships or authorities about the data incident,” and as a result “potential customers may not know if their data was exposed.”
“This breach once again highlights the advantage adversaries have against defenders,” said Israel Barak, chief information security officer at Cybereason. “The vast attack surface is extremely difficult to defend, and when databases are left exposed in the manner that is being reported, it doesn’t take a lot of ingenuity or creativity for the adversary to stay one step ahead of defenders.”
PYMNTS.com (2019, September 15). Data breach leaks 198M car buyers’ personal data.