The personal details of millions of American car owners who have signed up to an assistance program for roadside emergencies offered by the firm drivesure is made public after a hacker illegally breached the firm and dumped multiple sources of its databases on hacking forums. A security researcher from the vendor Risk Based Security discovered the databases on raidforums cracking forums overdue last month, and informed Drivesure of the issue this week. The databases include names, addresses, cellular phone volumes and electronic mails. They also include data on the customers’ vehicles which includes their produce, model and VIN number as well as service records and damage claims. The breach also included 93,000 bcrypt passwords, which are commonly used to secure data that is stored by secure software. These passwords are possible to be manipulated if an attacker runs scripts for hours on them.
Drivesure provides services that aid car dealers build customer loyalty through the use of data from their interactions. The Illinois-based business focuses on employee training programs and consumer retention, among other things.
Thompson exploited a cloud firewall configuration vulnerability to bypass security measures that are in place at the company and gain access to folders and data buckets. She then uploaded the stolen data to GitHub and then slowly updated it as she continued her hacking spree. It is unclear if she intended to make money through her hacking. Other targets with a high profile have been hit over the past few weeks including unemployment claimants in Washington state who were snared up in a breach of an external software application that was used by the auditor and employees of air charter company Solairus Aviation.