3.2 Million Data Records for DriveSure Clients Exposed Publicly

Posted by Trevagh Stankard on Thu, Apr 22nd, 2021

Although most organizations put the best training and security in place to protect user credentials against theft, attackers still have plenty of ways to compromise a network and steal data. Although it’s unknown how attackers were able to steal over 3.2 million data records from DriveSure, the information stolen was from the company’s MySQL database. The result is that credentials for the site along with several private data points are publicly exposed on the Internet.

What Happened to DriveSure?

DriveSure is a training site used to help car dealerships sell and retain customers. It has millions of customers that sign up for training and course material. These customers supplied their full names, addresses, phone numbers, email addresses, vehicle VIN numbers, service records, and damage claims among many other pieces of information. The released data included large corporate accounts and military addresses.

Earlier this year, researchers noticed that this information was uploaded to several hacking forums. Most attackers steal data to then sell at a profit, but the money that could have generated did not seem to be the primary focus for this attacker. The attacker slowly updated the entire database of stolen data for free and without request for any money.

The attacker’s motive is still unknown, but the data was offered for free on numerous hacking forums. This made the data freely available to anyone who was able to find the files online. As more people downloaded the files, the data became available to more people on other sites. Any user who signed up on the DriveSure site should change their passwords on the site.

What DriveSure Data is Publicly Available?

Aside from the private sensitive data available, the DriveSure cyber attacker also made over 93,000 bcrypt hashed passwords available for download. In a secure application, the developer stores a password as a hashed value with a salt to make it more difficult to crack. The bcrypt function is standard for hashing passwords, so DriveSure used a cryptographically secure way to store passwords. Even if a password is cryptographically secure, downloaded passwords can be brute forced for an extended amount of time when nothing is in place to limit the number of attempts. Poor passwords can be brute forced even when stored as a cryptographically secure hash.

The issue with having hashed passwords available is that an attacker can spend days running scripts against all of them. Any weak passwords can be brute forced, and many users configure the same password across multiple sites. Since email addresses are also available, an attacker will use scripts to take over accounts across multiple sites using the same passwords obtained from the DriveSure site. This gives an attacker access to any account that uses the same password across multiple sites including the DriveSure site.

The data came from a hacked MySQL database, so any information collected from DriveSure would be vulnerable to exposure. The company encrypted the data that should be according to compliance standards, but much of the data is available in plaintext.

Read this guide: Guide to Data Breach Prevention - How Companies Get Hacked!

What Can Be Done if You Used DriveSure?

Because DriveSure targeted businesses as customers, researchers found many business email accounts included in the database dump. If your organization ever used DriveSure to train employees, then any user account information given to the site is likely included in the data dump online.

You could download the gigabytes of data, but the database was uploaded across various hacking forums. Instead of searching for the files, the best defense is to change passwords immediately even if the password was cryptographically secure and several characters long. Any employee with the same password on DriveSure as the organizational network would be putting the organization at risk of a data breach.

It’s not uncommon for attackers to use data found on the internet to launch phishing attacks. They can directly email users found on the list or use the email addresses to launch additional attacks on other employees. If an attacker can access the user’s email account from credential theft, then an email can be sent to other employees tricking them into divulging sensitive information.

Email filters will stop spoofing attacks so that the leaked database cannot be used against your organization in a phishing attack. You can also train users to detect phishing attacks so that they do not fall victim to them. In addition to using email filters, any user found in the database should change their password immediately. Users should be educated not to use the same password across several accounts to avoid issues in the future.

Protect your client data with TitanHQ Multi-Layered Security. Contact a TitanHQ team member today and discover how we can protect your organisation from data breaches. Contact Us.