June 7, 2017 By Mark Samuels 2 min read

The personal information of 10 million U.S. car owners has been exposed in a massive leak of car vehicle identification numbers (VINs).

Researchers at Kromtech Security discovered an unprotected database of car VINs, which is a unique identifying code for a vehicle on the U.S. roads, according to Bleeping Computer. The database, which has now been online for more than 137 days, contains sensitive and potentially valuable information.

There are fears that criminals could use this personal data to commit identify fraud. The leak should serve as both a warning to consumers and a reminder to auto dealerships about the importance of strong information protection.

Analyzing the Database Leak

The database was left online with no authentication, meaning that any knowing individual could scan the internet, find the database and then download sensitive information without restriction. Cybercriminals could use the unsecured information to commit fraud or identity theft.

It is structured by access to customer, vehicle and sales details. Customer details include personal information such as name, address, phone number and birth date. The vehicle details refer to car VINs and additional information such as model, year and mileage. Sales details also include VINs, payment amount and payment type, such as cash or card.

Kromtech’s chief communication officer, Bob Diachenko, wrote in a report that the leaked data did not include car owners’ card details, according to The International Business Times. However, he noted, the leaked information could be enough for threat actors to commit identity fraud.

The Value of Car VINs

In his report, published on MacKeeper Security, Diachenko suggested that criminals are developing increasingly sophisticated techniques to combine online data with offline crimes. Fraudsters are using stolen data to obtain unique vehicle identifiers and then cloning VINs to make stolen cars appear perfectly legal.

A threat actor could use the database to make a new VIN plate and obtain a fake title for the car of his or her choice. Once the car is stolen, the fraudster can use the real VIN number from the database to sell the car to an unsuspecting buyer, who might not discover the crime until it’s too late.

Diachenko also referred to a recent case where members of a Tijuana motorcycle club used a compromised VIN database to steal 150 Jeep Wranglers, explained Bleeping Computer. It is unclear how the cybercriminals gained access to the database, but the incident demonstrated the dangers of exposed VINs.

The Importance of Database Security

News of the leak will come as little surprise to experts, who have long warned about the appeal of customer databases to cybercriminals. Organizations must focus on data protection techniques that stop fraudsters from actively stealing information and also prevent accidental leaks.

The report also warned that cybercriminals are becoming more creative by the day. The scale of the VIN database leak highlighted how dealerships must work hard to secure their data. Furthermore, those businesses must do more to protect customer data and the details of the cars they sell.

Diachenko provided a copy of the exposed database to Have I Been Pwned, which indexes leaked data sets. Once the imported data is added, U.S. car owners should be able to search the online service for their details to see if they have been compromised.

More from

Change Healthcare discloses $22M ransomware payment

3 min read - UnitedHealth Group CEO Andrew Witty found himself answering questions in front of Congress on May 1 regarding the Change Healthcare ransomware attack that occurred in February. During the hearing, he admitted that his organization paid the attacker's ransomware request. It has been reported that the hacker organization BlackCat, also known as ALPHV, received a payment of $22 million via Bitcoin.Even though they made the ransomware payment, Witty shared that Change Healthcare did not get its data back. This is a…

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

How I got started: AI security researcher

4 min read - For the enterprise, there’s no escape from deploying AI in some form. Careers focused on AI are proliferating, but one you may not be familiar with is AI security researcher. These AI specialists are cybersecurity professionals who focus on the unique vulnerabilities and threats that arise from the use of AI and machine learning (ML) systems. Their responsibilities vary, but key roles include identifying and analyzing potential security flaws in AI models and developing and testing methods malicious actors could…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today