Another day, another data breach to report, login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking (aka Stolen Vehicle Records Tracking) have been leaked online.
The incident potentially exposes the personal data and vehicle details of drivers and businesses using the SVR Tracking service.
The unsecured AWS S3 cloud storage bucket containing SVR Tracking data was discovered by experts at Kromtech Security Center.The SVR Tracking service allows its customers to track their vehicles in real time by using a physical tracking device hidden in the vehicles.
The S3 bucket contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users’ vehicle data, such as VIN (vehicle identification number) and the IMEI numbers of GPS devices.
The exposed archive also includes information where the tracking device was hidden in the car.
“The repository contained over a half of a million records with logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden.” reads the blog post published by Kromtech.
Experts highlighted that leaked passwords were protected by the weak SHA-1 hashing algorithm that was easy to crack.
“The experts discovered a Backup Folder named “accounts” contained 540,642 ID numbers, account information that included many plate & vin numbers, emails, hashed passwords, IMEI numbers and more. ” continues the analysis.
It includes also:
Since archive also included the position of the vehicles for the past 120 days.
The overall number of devices could be greater because many of the resellers or clients had large numbers of devices for tracking.
Kromtech reported the discovery to the SVR that promptly secured it. However, it is unclear whether the publicly accessible data was possibly accessed by hackers or not.
At the time, it is not clear if hackers accessed the data while they unsecured online.
(Security Affairs – SVR Tracking, data leak)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.