Marketer Exposes 198 Million Car Buyer Records

Written by

Another unprotected Elasticsearch database has been discovered by researchers, this time exposing personally identifiable information (PII) linked to 198 million car buying records.

The privacy snafu was discovered back in August by Jeremiah Fowler, researcher at SecurityDiscovery.

The non-password protected database contained a massive 413GB of data on potential car buyers, including names, email addresses, phone numbers, home addresses and more stored in plain text.

Also left publicly accessible were IP addresses, ports, pathways, and storage info “that cyber-criminals could exploit to access deeper into the network,” he explained.

Fowler spent several days trying to locate the owner of the database, which contained information from multiple websites.

“Only by manually reviewing multiple domains did I discover that they all linked back to dealerleads.com,” he added. “I was able to speak with the general sales manager who was concerned and professional with getting the information secured and public access was closed shortly after my notification by phone.”

As the name suggests, Dealer Leads provides online marketing support in the form of prospective car buyers for dealerships around the US. It's unknown how long the data was exposed for.

“It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed,” Fowler warned.

“Also, when contacting a local dealership in their hometown about a specific automobile they may not have known that the website actually collected their data as a lead or that this data could potentially be stored, saved, sold, or shared via DealerLeads.”

The incident is just the latest in a long line of privacy leaks via Elasticsearch, AWS S3, and other online platforms, due to security misconfigurations.

In recent months, Honda exposed 134 million company documents, a leading Chinese uni leaked 8TB of email metadata, and Dow Jones left a sensitive global watchlist of criminals and terrorists open to the public — all via misconfigured Elasticsearch instances.

What’s hot on Infosecurity Magazine?