Personal and financial information of a significant percentage of the American population were left exposed to wholesale access by a California-based auto dealer named Dealer Leads who chose to upload up to 198 million records on an unsecured Elasticsearch database that lacked password protection.
The unsecured and visible-to-all Elasticsearch database was discovered by security researcher Jeremiah Fowler at Security Discovery on 19th August who observed that the database owned by Dealer Leads contained personal and financial details of potential car buyers sourced from websites owned by a large number of lead generation agencies and independent dealerships.
Leaked records included PII of thousands of car buyers
Up to 198 million records stored in the unsecured database, according to Fowler, included details of “potential car buyers wanting more information, loan and finance inquiries, vehicles that were for sale, log data with IP addresses of visitors, and more”.
The records also included names, email addresses, phone numbers, and addresses of potential car buyers and also included device information such as IP addresses, ports, pathways, and storage details that could be exploited by cyber criminals to infiltrate further into the network.
While Fowler was initially unable to identify the owner of the database as it contained information sourced from possibly thousands of websites, further research conducted by him revealed that all these websites linked back to the domain owned by California-based Dealer Leads LLC.
Dealer Leads LLC was founded in 2015 and now owns a massive and highly targeted network of websites that is used by a large number of franchises and independent car dealerships in the United States to keep tabs on potential car buyers, their financial status, their activities on Dealer Leads’ websites, and cars they are looking to purchase.
Each of the thousands of websites owned by Dealer Leads LLC is specifically aimed at a precise buyer demographic or behavioural characteristic, thereby allowing independent car dealerships to choose which website to track for information on potential buyers and the existing demand for certain vehicles.
After establishing that the database was owned by Dealer Leads and was still publicly-available, Fowler contacted them on 20th August and public access to the database was closed shortly thereafter. However, Fowler was unable to establish how long the database was available publicly, indicating that malicious actors could have accessed the database during the time it was active.
Basic security hygiene can prevent a lot of data from being lost to hackers
“The Dealer Leads breach is yet another reminder that this type of data exposure is far too commonplace, and a significant number of hacks this year have been a result of unsecured hosting. Today, consumers should assume their private information has been stolen numerous times and will continue to be accessible to a growing number of threat actors,” says Israel Barak, chief information security officer at Cybereason.
“This breach once again highlights the advantage adversaries have against defenders. The vast attack surface is extremely difficult to defend, and when databases are left exposed in the manner that is being reported, it doesn’t take a lot of ingenuity or creativity for the adversary to stay one step ahead of defenders.
“This is yet another wake-up call to corporations, third party vendors and all defenders to improve their security hygiene, update security patches and provide security awareness training,” he adds.
“For Dealer Leads, all that was needed was a simple policy that every internet-facing system needs password protection, data encryption, or other fundamental protections. Simple, fundamental security policies that cost very little to implement can dramatically reduce risk and provide a springboard to implementing a more comprehensive software security initiative,” says Jonathan Knudsen, senior security strategist at Synopsys.
Oscar Tovar, application security specialist at WhiteHat Security, says that following best practices such as network segmentation and the ‘least privilege’ model help prevent these kinds of leaks from occurring. “Network segmentation is highly important as it prevents high exposure of internal infrastructure. Furthermore, giving only users the least amount of necessary privileges to data access lessens the probability of a data leak.”