The personal information of 10 million U.S. car owners has been exposed in a massive leak of car vehicle identification numbers (VINs).

Researchers at Kromtech Security discovered an unprotected database of car VINs, which is a unique identifying code for a vehicle on the U.S. roads, according to Bleeping Computer. The database, which has now been online for more than 137 days, contains sensitive and potentially valuable information.

There are fears that criminals could use this personal data to commit identify fraud. The leak should serve as both a warning to consumers and a reminder to auto dealerships about the importance of strong information protection.

Analyzing the Database Leak

The database was left online with no authentication, meaning that any knowing individual could scan the internet, find the database and then download sensitive information without restriction. Cybercriminals could use the unsecured information to commit fraud or identity theft.

It is structured by access to customer, vehicle and sales details. Customer details include personal information such as name, address, phone number and birth date. The vehicle details refer to car VINs and additional information such as model, year and mileage. Sales details also include VINs, payment amount and payment type, such as cash or card.

Kromtech’s chief communication officer, Bob Diachenko, wrote in a report that the leaked data did not include car owners’ card details, according to The International Business Times. However, he noted, the leaked information could be enough for threat actors to commit identity fraud.

The Value of Car VINs

In his report, published on MacKeeper Security, Diachenko suggested that criminals are developing increasingly sophisticated techniques to combine online data with offline crimes. Fraudsters are using stolen data to obtain unique vehicle identifiers and then cloning VINs to make stolen cars appear perfectly legal.

A threat actor could use the database to make a new VIN plate and obtain a fake title for the car of his or her choice. Once the car is stolen, the fraudster can use the real VIN number from the database to sell the car to an unsuspecting buyer, who might not discover the crime until it’s too late.

Diachenko also referred to a recent case where members of a Tijuana motorcycle club used a compromised VIN database to steal 150 Jeep Wranglers, explained Bleeping Computer. It is unclear how the cybercriminals gained access to the database, but the incident demonstrated the dangers of exposed VINs.

The Importance of Database Security

News of the leak will come as little surprise to experts, who have long warned about the appeal of customer databases to cybercriminals. Organizations must focus on data protection techniques that stop fraudsters from actively stealing information and also prevent accidental leaks.

The report also warned that cybercriminals are becoming more creative by the day. The scale of the VIN database leak highlighted how dealerships must work hard to secure their data. Furthermore, those businesses must do more to protect customer data and the details of the cars they sell.

Diachenko provided a copy of the exposed database to Have I Been Pwned, which indexes leaked data sets. Once the imported data is added, U.S. car owners should be able to search the online service for their details to see if they have been compromised.