The personal information of 10 million U.S. car owners has been exposed in a massive leak of car vehicle identification numbers (VINs).

Researchers at Kromtech Security discovered an unprotected database of car VINs, which is a unique identifying code for a vehicle on the U.S. roads, according to Bleeping Computer. The database, which has now been online for more than 137 days, contains sensitive and potentially valuable information.

There are fears that criminals could use this personal data to commit identify fraud. The leak should serve as both a warning to consumers and a reminder to auto dealerships about the importance of strong information protection.

Analyzing the Database Leak

The database was left online with no authentication, meaning that any knowing individual could scan the internet, find the database and then download sensitive information without restriction. Cybercriminals could use the unsecured information to commit fraud or identity theft.

It is structured by access to customer, vehicle and sales details. Customer details include personal information such as name, address, phone number and birth date. The vehicle details refer to car VINs and additional information such as model, year and mileage. Sales details also include VINs, payment amount and payment type, such as cash or card.

Kromtech’s chief communication officer, Bob Diachenko, wrote in a report that the leaked data did not include car owners’ card details, according to The International Business Times. However, he noted, the leaked information could be enough for threat actors to commit identity fraud.

The Value of Car VINs

In his report, published on MacKeeper Security, Diachenko suggested that criminals are developing increasingly sophisticated techniques to combine online data with offline crimes. Fraudsters are using stolen data to obtain unique vehicle identifiers and then cloning VINs to make stolen cars appear perfectly legal.

A threat actor could use the database to make a new VIN plate and obtain a fake title for the car of his or her choice. Once the car is stolen, the fraudster can use the real VIN number from the database to sell the car to an unsuspecting buyer, who might not discover the crime until it’s too late.

Diachenko also referred to a recent case where members of a Tijuana motorcycle club used a compromised VIN database to steal 150 Jeep Wranglers, explained Bleeping Computer. It is unclear how the cybercriminals gained access to the database, but the incident demonstrated the dangers of exposed VINs.

The Importance of Database Security

News of the leak will come as little surprise to experts, who have long warned about the appeal of customer databases to cybercriminals. Organizations must focus on data protection techniques that stop fraudsters from actively stealing information and also prevent accidental leaks.

The report also warned that cybercriminals are becoming more creative by the day. The scale of the VIN database leak highlighted how dealerships must work hard to secure their data. Furthermore, those businesses must do more to protect customer data and the details of the cars they sell.

Diachenko provided a copy of the exposed database to Have I Been Pwned, which indexes leaked data sets. Once the imported data is added, U.S. car owners should be able to search the online service for their details to see if they have been compromised.

More from

Now Social Engineering Attackers Have AI. Do You? 

4 min read - Everybody in tech is talking about ChatGPT, the AI-based chatbot from Open AI that writes convincing prose and usable code. The trouble is malicious cyber attackers can use generative AI tools like ChatGPT to craft convincing prose and usable code just like everybody else. How does this powerful new category of tools affect the ability of criminals to launch cyberattacks, including social engineering attacks? When Every Social Engineering Attack Uses Perfect English ChatGPT is a public tool based on a…

4 min read

Despite Tech Layoffs, Cybersecurity Positions are Hiring

4 min read - It’s easy to read today’s headlines and think that now isn’t the best time to look for a job in the tech industry. However, that’s not necessarily true. When you read deeper into the stories and numbers, cybersecurity positions are still very much in demand. Cybersecurity professionals are landing jobs every day, and IT professionals from other roles may be able to transfer their skills into cybersecurity relatively easily. As cybersecurity continues to remain a top business priority, organizations will…

4 min read

How I Got Started: White Hat Hacker

3 min read - White hat hackers serve as a crucial line of cyber defense, working to identify and mitigate potential threats before malicious actors can exploit them. These ethical hackers harness their skills to assess the security of networks and systems, ultimately helping organizations bolster their digital defenses. But what drives someone to pursue a career as a white hat hacker, and how do you get started in leveraging so-called “evil” skills for the greater good?? In this exclusive Q&A, we spoke with…

3 min read

Heads Up CEO! Cyber Risk Influences Company Credit Ratings

4 min read - More than ever, cybersecurity strategy is a core part of business strategy. For example, a company’s cyber risk can directly impact its credit rating. Credit rating agencies continuously strive to gain a better understanding of the risks that companies face. Today, those agencies increasingly incorporate cybersecurity into their credit assessments. This allows agencies to evaluate a company’s capacity to repay borrowed funds by factoring in the risk of cyberattacks. Getting Hacked Impacts Credit Scoring As per the Wall Street Journal…

4 min read