The personal details of millions of American automobile owners who subscribe to an assistance program for roadside emergencies offered by drivesure, a company, is available online after a hacker illegally breached the company and dumped multiple sources of its databases on hacking forums. A researcher from the security vendor Risk Based Security discovered the databases on raidforums cracking drivesure data breach forums past due last month and reported them to Drivesure this week. The databases contain names, deals with, cellular phone volumes and electronic mails, as well as information about the customers’ vehicles, which include their make, model and VIN number, as well as service records and damage claims. The breach also contained 93,000 bcrypt passwords, which are commonly used to secure data that is stored by secure applications. But these passwords can be forced by brute force if a criminal is able to run scripts against them.
Drivesure is a provider of services that help car dealers build customer loyalty through the use of data about their interactions. The Illinois-based company is focused on employee training programs and consumer retention, among other things.
Thompson exploited a cloud firewall configuration vulnerability to get around security measures at the company and access folders and data buckets. Thompson then uploaded her stolen data on GitHub and then gradually changed the information as she continued to hack. The question of whether she was trying to make money off of her attack isn’t clear. In the last few weeks, other notable targets were also targeted. This included Washington State unemployment claimants who were affected by a breach of the third-party service utilized by an auditor and employees of air charter company Solairus Aviation.