An IndyCar archive left unprotected online, details on 200k racing fans exposed

A notorious security expert has discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.

The notorious expert Chris Vickery has discovered an open Rsync server hosting the personal details for at least 200,000 racing fans.

Further analysis revealed that data belongs to the archive of a defunct racing forum called DownForce that was a component of a platform used by IndyCar.

Accessing the DownForce was costing a $28.99 fee, but racing fans could get access to a number of other services, including a private message board for “the INDY DownForce community” by paying a $13.99 supplemental fee.

According to Vickery, the archive included data related to the daily operations of the users of the forum, including employee login credentials.

Vickery has found open on the Internet the entire DownForce backup that contains details of hundreds of thousand users’ details, including first and last name, date of birth, gender, mailing address, password hash, security questions, and answers.

“The online security of over 200,000 Indycar racing fans was put in jeopardy recently. Earlier this month I discovered a large collection of publicly exposed MySQL database backup files at an IP resolving to ims-mysql.indycar.com.” reads a blog post published by the expert.

“It’s important to point out that the IndyCar bulletin board these accounts come from has since been retired. So, there is no need to change your IndyCar forum login password,”

Why users’ data were left unprotected online?

“That’s nothing but liability. They are putting customers at risk for no gain,” said Vickery.

“I can only assume the attorneys and risk-management folks working for IndyCar were unaware that defunct forum logins were being stored.”

According to Salted Hash, the person who is managing the IndyCar account told Vickery the company was handling the issue.

Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – DownForce forum, racing fans)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.