10 Million VIN Numbers Exposed! Offline Criminals Now Targeting Car Owners, Stealing Cars Using Online Data and Cloned VIN Numbers.Back to blog
Kromtech Security Researchers have discovered a unprotected database of what appears to be a collection of marketing data from big and small US-based auto dealerships.
Carefully compiled database contains information of 10 million car owners all over the US. Information is structured in the way that enables anybody to have access to three sets of data - customer details, vehicle details and sales details. The customer details include personal information such as their full name, address, mobile/home/work phones, email, birth date, gender, and children over 12 years old. The vehicle details include Vehicle Identification Number (VIN), model, model year, sales rep name, mileage. Sales details include VIN, mileage odometer, sales gross, pay type, monthly payment amount, purchase price, payment type (cash, bank, card).
The Real Threat: Criminals Now Using VINs To Steal Cars or Commit Fraud
Sophisticated criminals have now created a way to combine traditional offline crimes like stealing cars and technology. Criminals are now using leaked or hacked data to obtain unique identifiers for a vehicle and then “cloning” a VIN to make a stolen car appear to be perfectly legal. The car's vehicle identification number (VIN) is the identifying code for a single automobile and is unique to that specific vehicle. This leak is a warning notice to Auto Dealerships to do more to protect not just their customer data, but also details about the cars they sell.
The criminals chose the make, model of the car they want to steal, then they use the database of VIN numbers to make a new VIN plate and obtain a fake title. Once the criminals have the stolen car and the real VIN number from the database they can then sell the car to an unsuspecting buyer. The victim may not realize right away that the car is stolen until the criminals are long gone with the money and there is no chance to get it back.
It was reported on June 1st that the Hooligans biker gang have been charged in connection with a string of Jeep Wrangler thefts that police say totaled $4.5 million worth of vehicles stolen.
The database seen by Kromtech researchers includes 16522 Jeep Wranglers with unique VINs.
According to the article the gang used a hacked database to duplicate Vehicle Identification Numbers also known as VIN numbers.
“Using a compromised database of VINs for Jeep Wranglers, these bikers were able to create duplicate keys to gain access to the Jeeps they targeted. It’s unclear how the Hooligans got access to this database of VINs.”
Carfax the web-based service that supplies vehicle history reports had warned in late 2015 that a VIN Cloning scam is sweeping the country and costing consumers tens of thousands of dollars and leaving them without the cars they thought they had paid for.
With such a large number of automobile VINs exposed researchers are warning car dealerships to take every possible measure to secure their data. Cyber criminals are becoming more creative by the day and to see the crossover from online crime to stealing cars is a disturbing trend.
The database has been online for more than 137 days now. Security Researchers have yet to identify the owner of the database and asking for anyone from the exposed dealerships or the potential owner to contact us.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Research Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org