Adversaries posted sensitive information of 3.2 million DriveSure users on the underground hacking forum – Raidforums. Dubbed “pompompurin,” the hacker group advertised the leaked files and user data in a post, as proof of compromise. DriveSure is a car dealership service provider focused on employee training programs, customer retention, and maintains client data in large quantity.
According to Risk Based Security, the exposed information included full names, full addresses, contact details, email address, hashed passwords, car model, VINs, records of how much they paid for service, warranty status, emails to customers, texts sent to customers, IP addresses, damage claims, survey responses, logs of edits to customers, and current status of the car.
Hackers dumped two databases that hosted sensitive data of DriveSure users. One database has over 22 GB of the company’s MySQL files, which detailed dealer and inventory information, sales data, reports, claims, and customer data. The second compromised database contained 11,474 files in 105 folders and is 5.93 GB in size in their “parserfiles” s3 bucket.
The exposure of sensitive data may bring severe consequences to the users whose data was affected in the incident. Cybercriminals can easily misuse users’ information for personal gains.
“The information leaked in these databases is prime for exploitation by threat actors, and in particular for insurance scams. Criminals can use personally identifiable information, damage claims, extended car details, and dealer and warranty information to target insurance companies and policyholders. Moreover, user credentials are used by threat actors to break into other valuable platforms such as bank accounts, personal email accounts, and corporate systems. The diverse set of user data can also be used to guess, and crack security questions often used by companies to reset passwords. Commercial email addresses can even be targets for spear-phishing or extortion,” Risk Based Security said.