Another day, another data breach to report, login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking (aka Stolen Vehicle Records Tracking) have been leaked online.
The incident potentially exposes the personal data and vehicle details of drivers and businesses using the SVR Tracking service.
The unsecured AWS S3 cloud storage bucket containing SVR Tracking data was discovered by experts at Kromtech Security Center.The SVR Tracking service allows its customers to track their vehicles in real time by using a physical tracking device hidden in the vehicles.
The S3 bucket contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users’ vehicle data, such as VIN (vehicle identification number) and the IMEI numbers of GPS devices.
The exposed archive also includes information where the tracking device was hidden in the car.
“The repository contained over a half of a million records with logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden.” reads the blog post published by Kromtech.
Experts highlighted that leaked passwords were protected by the weak SHA-1 hashing algorithm that was easy to crack.
“The experts discovered a Backup Folder named “accounts” contained 540,642 ID numbers, account information that included many plate & vin numbers, emails, hashed passwords, IMEI numbers and more. ” continues the analysis.
It includes also:
Since archive also included the position of the vehicles for the past 120 days.
The overall number of devices could be greater because many of the resellers or clients had large numbers of devices for tracking.
Kromtech reported the discovery to the SVR that promptly secured it. However, it is unclear whether the publicly accessible data was possibly accessed by hackers or not.
At the time, it is not clear if hackers accessed the data while they unsecured online.
(Security Affairs – SVR Tracking, data leak)