Hacker slip-up? 762,000 car owners have vehicles, home addresses exposed online


Businesses and organizations leaking sensitive user details is always a cause for concern. However, when legitimate personal data leaks from a completely unknown source, the issue is much more distressing.

The Cybernews research team discovered that a highly sensitive database with details on 762,000 China-based car owners and their vehicles has been leaked online. The data, hosted on a US-based IP address, was first discovered on August 4th and exposed for at least 48 hours.

According to the team, the exposed data revealed sensitive details about car owners based in Shanghai and other regions in China. The leaked details reveal almost everything there is to reveal about a person owning a vehicle, including:

ADVERTISEMENT
  • Full name
  • ID number
  • Phone number
  • Email
  • Address
  • Birthday
  • Vehicle identification number (VIN)
  • Car brand
  • Car model
  • Engine number
  • Vehicle Color

“The exposure of this database is particularly alarming due to the detailed nature of the personal and vehicle information involved. The breach could have severe consequences for the affected individuals, including identity theft, financial fraud, and potential physical security risks,” Cybernews researchers said.

While any personal data exposure puts users at risk of identity theft or financial fraud, revealing personal details and the property they own, including where that property is located, can add another layer of risk, as attackers could exploit the information for grand theft auto.

The leaked database could serve crooks focused on vehicle-related crimes. For example, criminals could exploit leaked VIN numbers of legally registered vehicles to mask the identity of stolen cars.

“This incident highlights the ongoing risks associated with the improper handling and securing of large datasets, particularly those containing sensitive PII. It underscores the need for stringent data protection measures and the importance of accountability in data management,” our researchers said.

Interestingly, it’s unclear who owns the exposed Elasticsearch instance with a trove of sensitive China-based vehicle owner data. The unknown nature of the data’s ownership means that it’s highly unlikely that individuals whose details were exposed will ever be notified about the leak.

Moreover, as the China-based data was hosted on a US-based instance without a clear owner, it could point to an attacker-owned database. Attackers often compile large amounts of data as it can be leveraged for a wide range of attacks, such as identity theft, sophisticated phishing schemes, targeted cyberattacks, and unauthorized access to personal and sensitive accounts.

As Cisco Talos researchers revealed during the Black Hat USA 2024 conference, attackers can leverage vehicle information for novel types of attacks, such as targeting infotainment systems and stealthily infiltrating user systems.

ADVERTISEMENT