reports that Honda had its e-commerce platform for power equipment impacted by password reset API security vulnerabilities, which could be leveraged to access customer information and other documents.
Information exposed through the exploitation of the flaws, identified by security researcher Eaton Zveare in Honda's Power Equipment Tech Express site, included 21,393 customer orders between August 2016 and March 2023, 11,034 customer emails, 3,588 dealer users/accounts, 1,570 dealer websites, 1,090 dealer emails, and internal financial reports. Dealers' Authorize.net, PayPal, and Stripe private keys could also have been accessed.
All Honda dealers had their data panels arbitrarily accessed by Zveare by incrementing user IDs.
Such vulnerabilities have already been addressed by Honda.