An IndyCar archive left unprotected online, details on 200k racing fans exposed

A notorious security expert has discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.

The notorious expert Chris Vickery has discovered an open Rsync server hosting the personal details for at least 200,000 racing fans.

Further analysis revealed that data belongs to the archive of a defunct racing forum called DownForce that was a component of a platform used by IndyCar.

Accessing the DownForce was costing a $28.99 fee, but racing fans could get access to a number of other services, including a private message board for “the INDY DownForce community” by paying a $13.99 supplemental fee.

According to Vickery, the archive included data related to the daily operations of the users of the forum, including employee login credentials.

Vickery has found open on the Internet the entire DownForce backup that contains details of hundreds of thousand users’ details, including first and last name, date of birth, gender, mailing address, password hash, security questions, and answers.

“The online security of over 200,000 Indycar racing fans was put in jeopardy recently. Earlier this month I discovered a large collection of publicly exposed MySQL database backup files at an IP resolving to ims-mysql.indycar.com.” reads a blog post published by the expert.

“It’s important to point out that the IndyCar bulletin board these accounts come from has since been retired. So, there is no need to change your IndyCar forum login password,” 

Why users’ data were left unprotected online?

“That’s nothing but liability. They are putting customers at risk for no gain,” said Vickery.

“I can only assume the attorneys and risk-management folks working for IndyCar were unaware that defunct forum logins were being stored.”

According to Salted Hash, the person who is managing the IndyCar account told Vickery the company was handling the issue.

Chris Vickery discovered many other clamorous cases of open database exposed on the Internet. In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – DownForce forum, racing fans)