300K vehicles and millions of trips exposed in fleet manager’s data leak

Last updated: 9 April 2025
NexOpt data leak
Image by Shutterstock.

NexOpt, a vehicle tracking service provider, has leaked sensitive real-time and historic travel data from commercial and passenger vehicles from all over the world.

Knowing where your vehicle is can be extremely important. That’s why trucking companies, logistics firms, ship, and vehicle owners utilize telemetrics, long-distance data transmission focused on tracking.

Enter NexOpt, a Germany-headquartered fleet management company that claims to “guarantee maximum data security.” Unfortunately, as the Cybernews research team recently discovered, fleet managers’ data was accessible to a wider audience than intended.

ADVERTISEMENT
Ernestas Naprys jurgita vilius
Get our latest stories today on Google News
Google News Follow us

An unsecured Nexopt Kibana instance exposed numerous NexOpt customer details, including vehicle identification numbers (VINs), real-time ship and vehicle locations, and other information not meant for the public eye.

The leaking instance contained nearly a terabyte of data. However, our team believes that at least some of the information appeared to be generated for development purposes.

Sample of leaked data
Image by Cybernews.

After multiple attempts to contact the company and relevant CERT, the exposed instance was closed and is no longer publicly available. We have reached out to the company for a comment and will update the article once we receive a reply.

“The leak creates all sorts of dangers for parties involved. For one, the data could be exploited for business intelligence collection, which in turn could be used to organize real-world criminal operations with the intent to steal or modify transported cargo,” Aras Nazarovas, an information security researcher at Cybernews, said.

The team believes the leak exposed millions of commercial and likely some noncommercial trip details. Based on VINs recorded within the system, it appears the affected data was generated by over 300,000 unique vehicles.

What details did the NexOpt data leak reveal?

ADVERTISEMENT

NexOpt, which operates offices in the USA and Austria, provides several types of tracking services. One of them involves adding a NexOpt tracker to a vehicle, which then transmits real-time information about its whereabouts.

That’s exactly what the team discovered in the exposed instance­­­­ – NexOpt tracker locations with trip metadata such as journey start and destination addresses. According to the team, tracker data was tied to:

  • VINs
  • NExOpt device IMEI identifiers
  • Vehicle movement data
  • Trip origin
  • Destination data
  • Routes
  • Vehicle fuel or charge level data
  • Driver’s seat data
Sample of leaked data
Image by Cybernews.

“VIN numbers can be used to identify more information about the vehicle, including its owners. While fleet management solutions are often used in goods transportation vehicles, the researchers also found a significant number of VINs identifying light passenger cars while investigating the data leak,” Nazarovas explained.

Why is the NexOpt data leak dangerous?

The majority of the vehicles with exposed movement details were recorded in South Germany and neighboring countries, although some trips were detected in the US, Africa, and the Asian part of Russia.

Leaking location data is always dangerous, but exposing information on entire fleets creates additional risks. For example, crooks could utilize the information to tamper with transported goods, impacting supply chain integrity and confidentiality. Data on third parties that a company conducts business with can also be exploited to target businesses indirectly via partners.

Moreover, it’s entirely possible that passenger vehicles in the dataset belong to company employees or CEOs. Competitors could use this information to find out who the vehicle operator does business with, and whom higher ups are in contact with. This, in turn, can assist in gaining a competitive advantage, or be used as signals for insider trading.

This is not the first time a company that manages location data has left it open to the public. Earlier this year, Cybernews discovered that an iOS tracker app exposed its users’ GPS location data. Last year, we reported that KidSecurity, a popular parental control app, leaked sensitive information about children, exposing GPS locations and private messages on minors’ devices.

ADVERTISEMENT
  • Leak discovered: February 14th, 2025
  • Initial disclosure: February 21st, 2025
  • CERT contacted: February 28th, 2025
  • Leak closed: March 17th, 2025
Share
Post
Share
Share
Share
More from Cybernews
This week in AI: OpenAI’s o3, Anthropic’s agentic Research, and a few updates from Chinese vendors
Critical security flaw affects Asus AiCloud routers, urgent update required
Roblox allegedly made over $120K ripping off viral Charlie XCX “Apple Dance” creator
Critics call Florida bill aiming to protect minors a threat to encryption
Ethereum phishing scam victims warned in Operation Avalanche
“Vote for me” scam turns into chain reaction of stolen Facebook, X accounts
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked