Personal Data of 3 Million+ People Exposed In DriveSure Hack
February 1, 2021 • RBS
The Cyber Risk Analytics research team at Risk Based Security captures and analyzes thousands of data breaches annually. When it comes to breaches, larger or well-known organizations are usually given the most attention due to the potential damage a breach can cause. However, even data from a small company can have a seemingly far-reaching impact.
What Does DriveSure Do?
DriveSure is a car dealership service provider focused on employee training programs and customer retention. The Illinois-based company, also known as Krex Inc, has been operating since 1947. According to their website:
“DriveSure makes it easy for new car dealerships to offer unbeatable vehicle maintenance and bring customers back for service, tires, and unplanned repairs.”
By nature of the business and the company’s mission driving strong customer focus, DriveSure maintains a large amount of detailed client data. Car dealerships provide a variety of information on customer vehicles and history, making DriveSure a target for threat actors looking to pilfer valuable data.
On January 4th, 2021 our research team uncovered a threat actor posting multiple databases claiming to originate from drivesure.com and krexinc.com. The databases were shared on a popular English-speaking dark web hacking forum, and according to the threat actor, the data was dumped on December 19th, 2020.
In a lengthy post to prove the databases’ high quality, the threat actor detailed the leaked files and the user information. Typically, hackers only share valuable segments or trimmed down versions of user databases, but in this case, numerous backend files and folders were leaked. One of our researchers concluded that the data appears to be valid after conducting research on the compromised data.
One leaked folder totalled 22 GB and included the company’s MySQL databases, exposing 91 sensitive databases. The databases range from detailed dealership and inventory information, revenue data, reports, claims, and client data.
Separately, the second compromised folder contained 11,474 files in 105 folders and amassed to 5.93 GB. Self identified as “parser files”, they appear to be logs and backups of their databases and contain the same information listed in the previously mentioned SQL databases, adding to the trove of data.
Examining the files more closely reveals extensive types of user data exposed:
- Phone numbers
- Email addresses
- IP addresses
- Automobile details including car makes and models
- VIN numbers
- Car service records and car dealership records
- Damage claims
- 93,063 bcrypt hashed passwords
- Text and email messages with clients
Bcrypt is considered to be a strong encryption technique for passwords relative to older methods such as MD5 and SHA1 encryption, however they are still vulnerable to brute-force attacks depending on the password strength. Hackers can also use previous data breaches or other leaked user data to attempt to guess and decrypt passwords.
Customer Email Address Domain Breakdown
One of the leaked files consists of a 1.5 GB customer SQL database. Risk Based Security researchers found the breached database to contain 3,283,725 unique user email addresses.
An analysis of the email address domains provides a clearer picture of potentially valuable email addresses that hackers may attempt to exploit. In the database we found 15,905 email addresses linked to an EDU account, as well as 2,896 .mil and 1,725 .gov email address domains.
It is common for people to use their professional email address when registering for personal services, though the number of government affiliated email addresses is always concerning.
Furthermore, there were 5,392 email addresses linked to S&P 100 companies, naturally highly sought after credentials. Using a list of 25 top cybersecurity and technology companies to narrow our focus, we also found 413 email addresses linked to these types of organizations. This subset of email addresses potentially pose the highest risk to companies, as they are popular vendors among most organizations.
While only a small subset of users set an online password, the email addresses combined with the lengthy personal information can pose a severe risk to affected organizations and users.
Increased Risk for Scams
The information leaked in these databases is prime for exploitation by threat actors, and in particular for insurance scams. Criminals can use personally identifiable information, damage claims, extended car details, and dealer and warranty information to target insurance companies and policyholders.
Moreover, user credentials are used by threat actors to break into other valuable platforms such as bank accounts, personal email accounts, and corporate systems. The diverse set of user data can also be used to guess and crack security questions often used by companies to reset passwords. Commercial email addresses can even be targets for spear-phishing or extortion.
The information can also be used to put together a dossier on individuals, which are sold on dark web marketplaces at a premium if there is enough recent data to be exploited.
Senior leadership from DriveSure responded to Risk Based Security in a very timely manner and has indicated that they are aware and have investigated the event.
Cyber Risk Analytics
Interested in more data breach information? Transform headlines into actionable intelligence with Cyber Risk Analytics.
Cyber Risk Analytics is the standard for actionable data breach intelligence, risk ratings and supply chain monitoring. Avoid costly risk assessments while acting quickly to proactively protect your most critical information assets. Don’t let security gaps of other organizations affect you.