The last few years have been an insane roller-coaster ride as far as online security is concerned.
From malware campaigns to ransomware, almost every single part of the globe has been affected by these attacks.
Now, a new data breach has just occurred with nearly 540,642 vehicle records leaked online. The sheer amount of data in this breach is mind-boggling as hundreds of thousands of people expected to be affected by this.
It seems that every year, one major attack occurs and subsequently causes devastating, widespread repercussions.
Though security programs are constantly evolving, hackers are constantly finding new ways to illegally steal data.
That has caused the number of cyber hacks to spike in 2017.
How Did the Data Breach Happen?
In a blog post, the Kromtech Security Center first revealed that researchers had discovered that nearly half a million vehicle records belonging to SVR Tracking were leaked online.
SVR Tracking is a company known for specializing in recovering vehicles. They provide 24-hour surveillance for customers’ vehicles so as to avoid from getting towed or, even worse, stolen.
But in order to record everything around the clock, they use a tracking device to monitor the vehicle’s movement.
These tracking devices were planted on the vehicle in places where no one would notice except the owner.
These devices allow both regular customers and auto dealers to both locate and recover their vehicles if they’re ever stolen or towed.
It will alert the owner to the vehicle’s whereabouts and its state of motion. The app displays a real-time graph and other important data to accurately measure vehicle activity.
The popularity of such trackers rose over the last few years as vehicle thefts became increasingly common in the United States.
There was once a time when people could leave the keys in their car safely, but that is only a distant memory now.
That very same tracking device allowed SVR Tracking to provide continuous updates on the vehicle being monitored.
It sends a message about the vehicle’s location every two minutes when it is in motion and every four hours when it is stationary. This allowed them to know exactly where the vehicle was in the past 120 days.
The only thing that was required for anyone to get this information was the assigned login credentials.
With the login details, customers could access this information through the SVR app, which can be downloaded and installed on computers and mobile devices.
Amazon S3 Bucket’s Lax Security
Kromtech found out that the SVR data was actually stored in a publically accessible Amazon S3 bucket.
Stored on that database was the information of over half a million vehicles, including their customer’s email login details, license plate numbers, vehicle identification numbers, IMEI (International Mobile Equipment Identity), GPS device numbers and passwords.
The passwords stored in the Amazon S3 bucket used a cryptographic hash function named SHA-1, which has several issues in security besides being an old encryption method.
A savvy hacker would be able to crack through it with relative ease. It came as no surprise to learn that a data breach of such magnitude occurred after this information was obtained.
Recently, a group named the CynoSure Team made a statement that they were able to crack over 95 percent of SHA-1 hashes from a total of 319 million.
It’s not exactly certain for how long these leaks were online, as only Amazon and the individual who owned the S3 bucket know the real duration.
There is speculation regarding the number of devices that were used to track the vehicles, as some customers used multiple devices according to their needs.
What is frightening is the thought that criminals might be able to login using information from the data breach to steal other people’s cars with ease.
These leaks also ended up exposing nearly 339 logs that contained various vehicle records, images and maintenance records.
Even contracts with car dealerships that used SVR Tracking’s services were exposed in the data breach.
Not the First Data Breach This Year
These leaks, however, aren’t the only ones of their kind to have occurred this year.
Several weeks ago, Kromtech also discovered a massive telecommunications data breach where nearly four million customer records were leaked online.
Those leaks were also later found to be from an unsecured Amazon S3 bucket.
Before that, data regarding nearly 88,600 credit card info, passport photographs and various additional personal identification ID’s were hacked as well.
Hacking and data breaches are not a recent phenomenon by any stretch of the imagination; however, the scale of the thefts is increasing at an alarming rate.