Passwords and much more for 540,000 SVR Tracking accounts leaked online

Login credentials for 540K records belonging to vehicle tracking device company SVR Tracking (aka Stolen Vehicle Records Tracking) have been leaked online.

Another day, another data breach to report, login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking (aka Stolen Vehicle Records Tracking) have been leaked online.

The incident potentially exposes the personal data and vehicle details of drivers and businesses using the SVR Tracking service.

A few hours ago Verizon data was leaked online, and last week a similar incident affected the entertainment giant Viacom, in both cases data were found on an unsecured Amazon S3 server.

The unsecured AWS S3 cloud storage bucket containing SVR Tracking data was discovered by experts at Kromtech Security Center.The SVR Tracking service allows its customers to track their vehicles in real time by using a physical tracking device hidden in the vehicles.

The S3 bucket contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users’ vehicle data, such as VIN (vehicle identification number) and the IMEI numbers of GPS devices.

The exposed archive also includes information where the tracking device was hidden in the car.

“The repository contained over a half of a million records with logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden.” reads the blog post published by Kromtech.

Experts highlighted that leaked passwords were protected by the weak SHA-1 hashing algorithm that was easy to crack.

“The experts discovered a Backup Folder named “accounts” contained 540,642 ID numbers, account information that included many plate & vin numbers, emails, hashed passwords, IMEI numbers and more. ” continues the analysis.

It includes also:

116 GB of Hourly Backups
8.5 GB of Daily Backups from 2017
339 documents called “logs” that contained data from a wider date range of 2015-2017 UpdateAllVehicleImages, SynchVehicleStatus, maintenance records.
Document with information on the 427 dealerships that use their tracking information.

Since archive also included the position of the vehicles for the past 120 days.

The overall number of devices could be greater because many of the resellers or clients had large numbers of devices for tracking.

Kromtech reported the discovery to the SVR that promptly secured it. However, it is unclear whether the publicly accessible data was possibly accessed by hackers or not.

At the time, it is not clear if hackers accessed the data while they unsecured online.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – SVR Tracking, data leak)

[adrotate banner=”12″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.