Breach, Data Security, Network Security

Misconfigured database exposes 198M records on prospective auto buyers

Dealer Leads, LLC, a digital marketing company for car dealerships, was discovered last month to have exposed an Elastic database that contained 198 million records on prospective automotive buyers.

Publicly accessible information included the plain-text names, email addresses, phone numbers, home addresses and IP addresses of visitors to numerous websites affiliated with Dealer Leads, cybersecurity news and consulting firm Security Discovery reported today in a blog post.

The 413 GB database, which was not password-protected, also included details on loan and finance inquiries, vehicles offered for sale, and additional information that cybercriminals could have used to penetrate deeper into the Dealer Leads network, including ports pathways and storage info.

According to Dealer Leads' Linkedin page, the Calabasas, California-based company "provides high-volume, high-quality website traffic for franchise and independent car dealerships through our exclusive, wholly- owned classified sites and our manufacturer quality research pages."

Blog post author Jeremiah Fowler, Security Discovery's director of security research and senior communications consultant, uncovered the open database last Aug. 19, and through some sleuthing determined that the various websites referenced in the contents were all linked to the site dealerleads.com. In the blog post, Fowler said he spoke to a general sales manager at Dealer Leads, who saw to it that the database was made private shortly after the disclosure took place.

"Unfortunately, the data was exposed for an undetermined length of time and it is unclear who else may have had access to the millions of records that were publicly exposed," Fowler wrote. "This is another wake up call for any organization that collects and stores large amounts of data. It is crucial to ensure that the proper safeguards are in place."

Fowler also said it is unknown if Dealer Leads notified any affected individuals, dealerships, or authorities about the unintended leak. SC Media has reached out to Dealer Leads for comment.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Related

Nexperia impacted by cyberattack

Nexperia had some of its servers confirmed to be compromised in a cyberattack last month following a report from Dutch broadcast firm RTL detailing attackers' claims of having exfiltrated hundreds of gigabytes of data from the Chinese-owned Dutch semiconductor manufacturer, according to Cybernews.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.