Drivesure, a car dealership service provider, suffered a data infringement last December that resulted in 26GB of private information being downloaded and distributed on forums for hackers. The data set hacked included names address, addresses and phone numbers of 3.2 million buyers as well as emails and text messages between the clients of traders VINs of vehicles, as well as service records. Also, more than 000 hashed bcrypt passwords were released. Although bcrypt hashes are deemed more secure than traditional strategies like SHA1 or MD5, they can still be brute forced after downloading, reports Risk Based Security.

Hacker “pompompurin” disclosed the leaked files and user information in a lengthy post on Raidforums. This is unusual as hackers usually share only valuable parts or cut-down versions of databases they have discovered.

The database was leaked because of a configuration issue in an AWS bucket that was used by the company according to CISO Magazine. The AWS bucket had been left unprotected, which allowed anyone to gain access to the contents and data. This included more than one million email addresses in plaintext, as were passwords that were encrypted using the bcrypt encryption method.

The breach is of major worry for those who utilize drivesure, as they are likely to be victims of identity theft or fraud in the event that their personal information is stolen. Users of the site should immediately change their passwords. In addition, they should think about changing their login credentials on other sites that use the same credentials.

board portal software