Drivesure Data Breach

Drivesure, a dealership service provider, was the victim of a data breach in December of last year. In the aftermath, 26GB of personal data was downloaded and shared via hacking forums. The data breached included names address, addresses and telephone numbers of 3.2 million buyers and also text messages and emails between clients and traders VINs of vehicles, as well as service records. More than 93, 000 Bcrypt hashed passwords were also released. While bcrypt hashes can be considered superior to older methods like SHA1 or MD5 However, they could be used to brute force after downloading, according to Risk Based Security.

In a lengthy post on Raidforums the hacker “pompompurin” provided details of the leaked user information and files. This is unusual, as hackers generally only share important segments or trimmed-down versions of the databases they have found.

The database was exposed because of a configuration error in an AWS bucket used by the company according to CISO Magazine. The AWS bucket had been left unprotected, which allowed anyone to access the contents and data. This included over one million email addresses in plaintext, as were passwords encrypted with bcrypt.

The breach is a serious concern for those who use drivesure, because they are more likely to be victims of identity theft or fraud in the event that their personal information is stolen. Those who use the site should immediately change their passwords. They should also consider changing their login credentials on other websites that use the same credentials.