Data breaches have become so common these days that every single day we get news about a data breach. We have seen data breaches from big to small, from dangerous to embarrassing, but this is one is the creepiest data breach of 2017, this leak of credentials of almost 540,000 Car Tracking Devices might take the biscuit.
The Kromtech Security Center recently found over half a million login credentials belonging to SVR, a company specializes in “vehicle recovery”, is leaked online and is publicly accessible. SVR provides its customers with around-the-clock surveillance of cars and trucks, just in case those vehicles are towed or stolen.
Kromtech Security is the first to discover this data breach. It discovered a wide-open, public facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR was left publicly accessible for an unknown period. It contained information on roughly 540,000 SVR accounts, including email addresses and passwords, as well as some license plates and vehicle identification numbers (VIN).
The most interesting part is that the exposed database also contained information where exactly in the car the tracking device is. Eventually, the attacker could outright steal the vehicle and take out the tracking device from the car.
“The overall number of devices could be much larger given the fact that many of the resellers or clients had large numbers of devices for tracking,” said Bob Diachenko from Kromtech. “In the age where crime and technology go hand in hand, imagine the potential danger if cyber criminals could find out where a car is by logging in with the credentials that were publicly available online and steal that car?”