540,000 Car Tracking Credentials got Leaked Online

It seems like Data breaches have become a norm. It’s another day and yet another failure at the security of the nation, and this one’s a bit more concerning than the others. Login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking have leaked online, potentially exposing the personal data and vehicle details of drivers and businesses using its service.

Stolen Vehicle Records (SVR) is a service that allows concerned users to track their cars in real time. The way they do this is by attaching a physical tracking device to vehicles in a discreet location, so their customers can monitor and recover them in case their vehicles are stolen.

Since SVR’s car tracking device monitors a vehicle everywhere for the past 120 days, users could both track a vehicle in real time and create a detailed log of every location the vehicle has visited using any internet connected device like a desktop, laptop, mobile phone or tablet.

When the leak occurred, roughly 540,000 SVR accounts were included in the cache that was stolen. The data stored in the caches were that of email addresses and passwords, as well as users’ vehicle data, like VIN (vehicle identification number) and IMEI numbers of GPS devices.

The databases also included the exact location of the tracking devices. In other words, the hackers got to know where the tracking device was hidden into. Why would anybody include those details in the data of the users is beyond me, but hey, whatever.

Kromtech, the company responsible for SVR has declared that the total number of exposed devices could be higher. This due to the fact that many of the resellers or clients had large numbers of devices for tracking.

The company also warns their employees against using the AWS S3 Cloud Storage Bucket. Because that’s where this incident majorly generated from. Since the attack occurred, the Storage Bucket was secured.

Seems like this incident could maybe cause a huge index of stolen cars. Considering the fact that a detailed log can be created, the people who possess the user credentials just have to wait until the owner of the vehicle is absent. Then, it’s all a matter of time before the criminal does their move. Companies are so incredibly vulnerable, and the worst part is that they are the people in possession of our data.