Over 198 million records containing information on prospective car buyers, including loan and finance data, vehicle information and IP addresses for website visitors, has been found exposed on the internet for anyone to see.
The non-password protected Elasticsearch database belonged to Dealer Leads, which is a company that gathers information on prospective buyers via a network of SEO-optimized, targeted websites. According to Jeremiah Fowler, senior security researcher at Security Discovery, the websites all provide car-buying research information and classified ads for visitors. They collect this info and send it on to franchise and independent car dealerships to be used as sales leads. The exposed database in total contained 413GB of data.
The information included records with names, email addresses, phone numbers, physical addresses, IP addresses and other sensitive or identifiable information exposed to the public internet in plain text, according to Fowler. In addition, there were “ports, pathways, and storage info that cybercriminals could exploit to access deeper into the network,” the researcher said.
He added that the business model used by Dealer Leads is not particularly transparent. “When contacting a local dealership in their hometown about a specific automobile they may not have known that the website actually collected their data as a lead or that this data could potentially be stored, saved, sold or shared via DealerLeads,” he noted.
After discovering the database in mid-August, Fowler traced the information back to multiple website domains.
“Upon further investigation I noticed that many of the websites appeared to a mix of lead-generation sites and smaller possibly independent dealerships,” he said in his writeup posted on Wednesday. “I called several of the websites found inside the database to ask where they purchased their leads and could never get a straight answer, despite informing them of a potential data breach. I spent several days trying to identify the owner of the database and there was no clear indication in the millions of records.”
Eventually, in manually reviewing multiple domains, Fowler found that they all linked back to dealerleads[.]com.
California-based Dealer Leads closed off public access to the database, which was set to be open and visible in any browser without administrative credentials, shortly after Fowler called the company on August 20. However, the data set appeared to have been floating around for some time before that. It’s also unclear, Fowler said, if Dealer Leads informed the car dealerships with which it works, or the impacted website visitors themselves.
“Unfortunately, the data was exposed for an undetermined length of time and it is unclear who else may have had access to the millions of records that were publicly exposed,” said Fowler. “This is another wake up call for any organization that collects and stores large amounts of data. It is crucial to ensure that the proper safeguards are in place. Data protection and privacy are now becoming a core part of the business landscape and there is a growing shift where more and more people realize that customer data is just as important as the products or services.”
The incident is just the latest in a string of cloud storage misconfigurations that have been discovered exposing sensitive information to the open internet. The most recent high-profile case was of course Capital One, where a cybercriminal accessed the data of more than 100 million people in the U.S. and 6 million in Canada. Thanks to a cloud misconfiguration, the attacker was able to access to credit applications, Social Security numbers and bank account numbers in one of the biggest data breaches to ever hit a financial services company — putting it in the same league in terms of size as the Equifax incident of 2017.
“Another week, another ElasticSearch misconfigured server,” said Anna Russell, vice president at comforte AG, via email. “It is clear that those that choose to use cloud-based databases must perform necessary due diligence to configure and secure every corner of the system properly. Sadly, with the recent wave of ElasticSearch, MongoDB, Big Data, and other Open Source breaches, it does look like security is not being taken seriously enough. Just because a product is freely available and highly scalable doesn’t mean you can skip the basic security recommendations and configurations. Beyond ensuring that products and services are correctly deployed and maintained by competent, experienced staff, organizations must also secure their cloud-based data by adopting a data-centric security model that protects the data at rest, in motion, and in use – even if a properly configured system is compromised.”
Dan Tuchler, CMO at SecurityFirst, pointed out that Elastic has recommendations on how to secure its servers: Secure authenticated sign-on, managed users and roles, encryption, layered security and audit logging.
“These steps should apply to any server,” he noted.