Security researchers have discovered a vulnerable database containing the details of approximately 10 million vehicles sold in the US, including vehicle identification numbers (VIN) and personal details about the owners.
The discovery follows the indictment of a Tijuana motorcycle club whose members relied on access to VIN numbers, as well as a manufacturer’s key database, to steal 150 Jeep Wranglers worth an estimated $4.5 million.
More than 16,500 Jeep Wranglers are listed in the database, according to Bob Diachenko of the Kromtech Security Research Center, who said the information has been exposed and updated for several months.
Gizmodo authenticated the database by contacting several car dealerships referenced in the leak.
A wide range of customer details are also contained in the database, apparently collected from dozens of US car dealerships, including full names, home addresses, phone numbers, and birth dates. Information about the vehicles includes the VIN number, model, year, mileage, as well as sales information, such as the owner’s monthly payment amount and purchase price.
The dealerships affected by this leak include Honda, Mitsubishi, Toyota, Hyundai, Chrysler, Kia, Acura, BMW, Mini, Porsche, Nissan and Infiniti, among others.
It is not yet clear who is responsible for the database, though Kromtech suspects the data was compiled for marketing purposes. The cybersecurity firm has attempted to secure the information by contacting the cloud hosting provider as well as several of the larger dealerships involved.
“With such a large number of automobile VINs exposed we are warning car dealerships to take every possible measure to secure their data,” Diachenko said. “Cyber criminals are becoming more creative by the day and to see the crossover from online crime to stealing cars is a disturbing trend.”
Access to the VIN numbers alone aren’t enough to replicate the scheme of the Hooligans biker club—that required additional access to a dealership database, which provided patterns for creating a new keys and computer chips linked to the Wranglers’ computer systems.
Still, the information has some value on the black market. It could be used, for example, to manufacture fake auto-insurance cards, which can sell for up to $35 a pop. Car thieves could also use it to “clone” cars, a process whereby a vehicle’s VIN number is altered to conceal the fact that it was stolen.
After being alerted to the database last week, the FBI did not respond to a request for comment.
Update 12:37pm — Bob Diachenko tells Gizmodo that the emails accounts associated with this breach will be added soon to Troy Hunt’s “Have I Been Pwned?” (HIBP) system. This way, you’ll be able to enter your email address and find out if your VIN number was exposed. The affected consumers will also be notified by email. This post will be updated again when HIBP is ready.
Update 9:55am, June 9: 59 percent of the email addresses tied to the breach were already in HIBP’s database. You can go to haveibeenpwned.com now to find out if your VIN was compromised.