The personal information of millions of American car owners who subscribe to a roadside assistance service offered by the drivesure company is now available online after a cybercriminal unlawfully hacked the firm and dumped multiple sources of its databases on hacking forums. A security vendor researcher Risk Based Security spotted the database on the raidforums hacking forum past due last month and informed drivesure of the issue this week. The databases include names, deals with, cellular phone volumes and electronic mails. There is also data on the cars of customers which includes their model, produce and VIN number, as well as service records and damage claims. The breach also contained 93,000 passwords encrypted with bcrypt, which are used to protect data that is stored by secure applications. But these board portal software passwords can be forced by brute force if a bad actor has a long time running scripts against them.
Drivesure is a provider of services that aid car dealers build customer loyalty through the use of information about their interactions. The business is based in Illinois and is focused on employee training programs as well as consumer retention among other things.
Thompson exploited an issue with the cloud firewall configuration to bypass the security measures within the company and gain access folders and data buckets. Thompson then uploaded the stolen data to GitHub and then slowly updated it while she continued her hacking spree. It is not known if she intended to make a profit from the hack. In the past few weeks, other prominent targets were also targeted. This included Washington State unemployment claimants, who were impacted by a breach in a third-party system used by an auditor as well as employees of the air charter company Solairus Aviation.