Hackers published data on 3.2 million users lifted from DriveSure data on the Raidforums hacking forum late last month.
To prove the data's quality, threat actor “pompompurin” detailed the leaked files and user information information in a lengthy post, according to researchers at Risk Based Security, who were the first to report the breach.
The long post was unusual in that hackers typically only share valuable segments or trimmed down versions of user databases, the researchers wrote, but in this case, numerous backend files and folders were leaked.
DriveSure, a service provider for car dealerships that focuses on employee training programs and customer retention, maintains an abundance of client data. The information exposed included names, addresses, phone numbers, email addresses, IP addresses, car makes and models, VIN numbers, car service records and dealership records, damage claims and 93,063 bcrypt hashed passwords. While security pros consider bcrypt a strong encryption technique relative to older methods such as MD5 and SHA1, it is still vulnerable to brute-force attacks depending on the password strength.
The information leaked was prime for exploitation by other threat actors, especially for insurance scams, the researchers said. Cybercriminals can use PII, damage claims, extended car details and dealer and warranty information to target insurance companies and policyholders as well as break into other valuable platforms like bank accounts, personal email accounts and corporate systems.
The hackers dumped the data on December 19, 2020, Raidforums said, with the researchers discovering the exposed DriveSure databases shortly after on Jan. 4.
One leaked folder totaled 22 gigabytes and included the company’s MySQL databases, exposing 91 sensitive databases. The databases range from detailed dealership and inventory information, revenue data, reports, claims and client data.
A second compromised folder contained 11,474 files in 105 folders and totals 5.93 GB. Self-identified as “parser files,” they are most likely logs and back-ups of their databases and contain the same information listed in the SQL databases, the researcher said.
This was not the first time that “pompompurin” has exposed databases, said Ivan Righi, cyber threat intelligence analyst at Digital Shadows. The threat actor has leaked seven other databases in 2021, including those from People's Energy Company, Photolamus, Travel Oklahoma, MMG Fusion, Bourse des vols, Capital Economics and Wemo Media.
“These breaches are not uncommon on Raidforums, and it bears resemblance to other hacking groups such as ShinyHunters, which exposed close to one billion user records in 2020," Righi said. “As the data breaches are being offered for free, it is likely that the user is attempting to build a reputation for themselves on the criminal forum.”