Dealerleads Suffers Data Leak – 198 Million Car Owners Exposed

Another company has suffered from a major data leak. This time, Dealerleads, a company that owns numerous domains, leaked 198 million records.

If you bought a car recently, you might have had your information compromised. That is, at least, the warning being published thanks to another recent data leak. Security researchers have uncovered the 413GB data set recently. From Forbes:

Have you bought a car recently? Or maybe you’ve just been looking for that dream vehicle? I hope you are sitting down then, as 198 million records from a car buyer marketing database have been exposed online in a truly massive data leak. Jeremiah Fowler, a senior security researcher at Security Discovery, turned detective after coming across the same 413GB dataset multiple times. “It was clear that this was a compilation of potential car buyers wanting more information,” Fowler said, as the data included “loan and finance inquiries, vehicles that were for sale, log data with IP addresses of visitors, and more.”

DealerLeads describes itself on LinkedIn as “The highest converting vendor in the automotive industry four years running according to Google Analytics!” According to the DealerLeads website, the company has “collected and purchased popular automobile relevant domains based on search terms used by car buyers,” for 20 years. “We have turned these frequently used search terms into a variety of websites SEO’d to match those search terms,” the sales pitch continues, “these sites capture users at all stages of the buying funnel.” The DealerLeads system aims to drive 1st generation leads directly to the websites of car dealers, claiming conversion rates of 18% compared to 3rd party leads that convert at 5%-7%.

The unsecured database was found to contain 198 million records including names, email addresses, phone numbers, street addresses along with, “other sensitive or identifiable information exposed to the public internet in plain text.” The security researcher also pointed out that that data such as IP addresses, ports, pathways and storage info could be exploited by cybercriminals to navigate the network further.

The article goes on to say that the researcher contacted Dealerleads by e-mail about the incident. Unfortunately, no action was taken, so the researcher contacted them by phone. Only then did the unsecured database get taken offline.

September has had some pretty brutal headlines on the security front so far. The month started with the brutally ironic story of data security company Imperva getting hit with a data breach. What followed was the comparatively tame Yves Rocher data leak which exposed 2.5 million Canadians. Of course, all the data leaks and breaches were easily eclipsed in size by the Facebook data leak which saw 419 million phone numbers exposed. Then, there is also the drama filled data leak of Novaestrat which saw 20 million Ecuadorian records exposed. The executive of the company was arrested by Ecuadorian authorities as a result.

Drew Wilson on Twitter: @icecube85 and Facebook.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: