198 million records from a car buyer marketing database have been exposed online
Have you bought a car recently? Or maybe you've just been looking for that dream vehicle? I hope you are sitting down then, as 198 million records from a car buyer marketing database have been exposed online in a truly massive data leak. Jeremiah Fowler, a senior security researcher at Security Discovery, turned detective after coming across the same 413GB dataset multiple times. "It was clear that this was a compilation of potential car buyers wanting more information," Fowler said, as the data included "loan and finance inquiries, vehicles that were for sale, log data with IP addresses of visitors, and more."
The database detective
Security researchers are, by nature, curious beasts. Fowler is no exception. With the sniff of a massive data breach in his nostrils, Fowler started investigating the 413GB dataset that he had encountered "several times in the previous weeks." Initially he wondered if this could be an automobile sales directory of some kind, as there were links to websites that appeared to be a mixture of lead-generation sites and small dealerships. Having called many of the websites to find out where they were getting their leads from, Fowler hit a brick wall of no straight answers to his questions. However, further investigation revealed that all the website domains linked back to the same place; dealerleads.com
What is DealerLeads?
DealerLeads describes itself on LinkedIn as "The highest converting vendor in the automotive industry four years running according to Google Analytics!" According to the DealerLeads website, the company has "collected and purchased popular automobile relevant domains based on search terms used by car buyers," for 20 years. "We have turned these frequently used search terms into a variety of websites SEO’d to match those search terms," the sales pitch continues, "these sites capture users at all stages of the buying funnel." The DealerLeads system aims to drive 1st generation leads directly to the websites of car dealers, claiming conversion rates of 18% compared to 3rd party leads that convert at 5%-7%.
What car buyer information was in the exposed database?
The unsecured database was found to contain 198 million records including names, email addresses, phone numbers, street addresses along with, "other sensitive or identifiable information exposed to the public internet in plain text." The security researcher also pointed out that that data such as IP addresses, ports, pathways and storage info could be exploited by cybercriminals to navigate the network further.
What happened next?
As soon as the security researcher had found the DealerLeads connection, he reported his discovery of the 198 million records, non-password protected, Elasticsearch database to the company by email.
That was on August 19.
On August 20, he confirmed that the database was still online and exposed to anyone who cared to look for it. It was time for a phone call. "I was able to speak with the general sales manager," Fowler said, "who was concerned and professional with getting the information secured and public access was closed shortly after my notification by phone."
While DealerLeads were quick to act in password-protecting the database once it had been notified, that data had already been exposed and accessible to anyone for who knows how long?
Fowler said that it was "unclear if DealerLeads has notified individuals, dealerships, or authorities about the data incident," and as a result "potential customers may not know if their data was exposed." At the time of writing this article, I was unable to find any official mention of the database exposure on the DealerLeads website or any of the social media networks used by the company. I have approached DealerLeads for a statement regarding the notification situation for dealerships and individuals. I will update this story as and when I have any comments.
What do security experts say?
"Not a week goes by without more companies exposing cloud-based data publicly," Javvad Malik, security awareness advocate at KnowBe4 said, "while on the surface this appears to be a technical misconfiguration issue, the root cause goes much deeper into the culture of security, or lack thereof, that many companies have." Malik advised businesses to treat customer data as if it were radioactive material: "with great caution, using effective protection and only the amounts that are absolutely necessary."
Jonathan Knudsen, a senior security strategist at Synopsys, said that "all that was needed was a simple policy that every internet-facing system needs password protection, data encryption, or other fundamental protections." These simple, fundamental security policies, costing little to implement, "can dramatically reduce risk and provide a springboard to implementing a more comprehensive software security initiative," Knudsen said.
"This breach once again highlights the advantage adversaries have against defenders," Israel Barak, chief information security officer at Cybereason said, "the vast attack surface is extremely difficult to defend, and when databases are left exposed in the manner that is being reported, it doesn't take a lot of ingenuity or creativity for the adversary to stay one step ahead of defenders." Barak said that this is just one more wake-up call for security hygiene to be improved.
In defense of Elastic, the organization whose database software was misconfigured, Hugo van den Toorn, manager of Offensive Security at Outpost24, said "Elastic themselves quote on one of their recent blogs on securing Elastiscsearch that it’s especially dangerous if the cluster is connected directly to the Internet where anyone can connect without using a password."
More on Forbes
Tesla Has Facepalm Moment As Hackers Defeat ‘Fixed’ Model S Security
Data Breaches Expose 4.1 Billion Records In First Six Months Of 2019
Unsecured Facebook Databases Leak Data Of 419 Million Users
