June 7, 2017 By Mark Samuels 2 min read

The personal information of 10 million U.S. car owners has been exposed in a massive leak of car vehicle identification numbers (VINs).

Researchers at Kromtech Security discovered an unprotected database of car VINs, which is a unique identifying code for a vehicle on the U.S. roads, according to Bleeping Computer. The database, which has now been online for more than 137 days, contains sensitive and potentially valuable information.

There are fears that criminals could use this personal data to commit identify fraud. The leak should serve as both a warning to consumers and a reminder to auto dealerships about the importance of strong information protection.

Analyzing the Database Leak

The database was left online with no authentication, meaning that any knowing individual could scan the internet, find the database and then download sensitive information without restriction. Cybercriminals could use the unsecured information to commit fraud or identity theft.

It is structured by access to customer, vehicle and sales details. Customer details include personal information such as name, address, phone number and birth date. The vehicle details refer to car VINs and additional information such as model, year and mileage. Sales details also include VINs, payment amount and payment type, such as cash or card.

Kromtech’s chief communication officer, Bob Diachenko, wrote in a report that the leaked data did not include car owners’ card details, according to The International Business Times. However, he noted, the leaked information could be enough for threat actors to commit identity fraud.

The Value of Car VINs

In his report, published on MacKeeper Security, Diachenko suggested that criminals are developing increasingly sophisticated techniques to combine online data with offline crimes. Fraudsters are using stolen data to obtain unique vehicle identifiers and then cloning VINs to make stolen cars appear perfectly legal.

A threat actor could use the database to make a new VIN plate and obtain a fake title for the car of his or her choice. Once the car is stolen, the fraudster can use the real VIN number from the database to sell the car to an unsuspecting buyer, who might not discover the crime until it’s too late.

Diachenko also referred to a recent case where members of a Tijuana motorcycle club used a compromised VIN database to steal 150 Jeep Wranglers, explained Bleeping Computer. It is unclear how the cybercriminals gained access to the database, but the incident demonstrated the dangers of exposed VINs.

The Importance of Database Security

News of the leak will come as little surprise to experts, who have long warned about the appeal of customer databases to cybercriminals. Organizations must focus on data protection techniques that stop fraudsters from actively stealing information and also prevent accidental leaks.

The report also warned that cybercriminals are becoming more creative by the day. The scale of the VIN database leak highlighted how dealerships must work hard to secure their data. Furthermore, those businesses must do more to protect customer data and the details of the cars they sell.

Diachenko provided a copy of the exposed database to Have I Been Pwned, which indexes leaked data sets. Once the imported data is added, U.S. car owners should be able to search the online service for their details to see if they have been compromised.

More from

Taking the complexity out of identity solutions for hybrid environments

4 min read - For the past two decades, businesses have been making significant investments to consolidate their identity and access management (IAM) platforms and directories to manage user identities in one place. However, the hybrid nature of the cloud has led many to realize that this ultimate goal is a fantasy. Instead, businesses must learn how to consistently and effectively manage user identities across multiple IAM platforms and directories. As cloud migration and digital transformation accelerate at a dizzying pace, enterprises are left…

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today