Login credentials of to a greater extent than than one-half a 1000000 records belonging to vehicle tracking device society SVR Tracking accept leaked online, potentially exposing the personal information together with vehicle details of drivers together with businesses using its service.
Just 2 days ago, Viacom was institute exposing the keys to its kingdom on an unsecured Amazon S3 server, together with this information breach is even then simply about other instance of storing sensitive information on a misconfigured cloud server.
The Kromtech Security Center was starting fourth dimension to discover a wide-open, public-facing misconfigured Amazon Web Server (AWS) S3 cloud storage bucket containing a cache belonging to SVR that was left publicly accessible for an unknown period.
Stands for Stolen Vehicle Records, the SVR Tracking service allows its customers to runway their vehicles inwards existent fourth dimension past times attaching a physical tracking device to vehicles inwards a discreet location, then their customers tin monitor together with recover them inwards instance their vehicles are stolen.
The leaked cache contained details of roughly 540,000 SVR accounts, including electronic mail addresses together with passwords, equally good equally users' vehicle data, similar VIN (vehicle identification number), IMEI numbers of GPS devices.
Since the leaked passwords were stored using SHA-1, a 20-years-old weak cryptographic hash purpose that was designed past times the U.S. of A. of America National Security Agency (NSA), which tin endure cracked amongst ease.
The leaked database likewise exposed 339 logs that contained photographs together with information almost vehicle condition together with maintenance records, along amongst a document amongst information on the 427 dealerships that work SVR's tracking services.
Interestingly, the exposed database likewise contained information where just inwards the motorcar the physical tracking unit of measurement was hidden.
According to Kromtech, the full publish of devices exposed "could endure much larger given the fact that many of the resellers or clients had large numbers of devices for tracking."
Since SVR's motorcar tracking device monitors a vehicle everywhere for the past times 120 days, anyone amongst access to SVR users' login credentials could both runway a vehicle inwards existent fourth dimension together with exercise a detailed log of every place the vehicle has visited using whatever mesh connected device similar a desktop, laptop, cellular telephone or tablet.
Eventually, the assaulter could outright bag the vehicle or fifty-fifty rob a domicile when they know a car's possessor is out.
Kromtech responsible alerted the society of the misconfigured AWS S3 cloud storage bucket, which has since been secured. However, It is unclear whether the publically accessible information was perhaps accessed past times hackers or not.
