198M Car Buyers’ Personal Data Exposed After A Data Breach

Personal records and data of 198 million potential car buyers were exposed, after a massive data breach.

A senior security researcher at Security Discovery found out about the breach in one of the highest converting vendor in the automotive industry, which is DealerLeads.

The compilation of millions of car buyer information were all in the same dataset with 413GB of memory.

According to PYMNTS, the data exposed contained buyer’s full names, email addresses, phone numbers, identification information, and street addresses. The information was in clear text for the public internet to see.


Senior researcher Jeremiah Fowler said, “It was clear that this was a compilation of potential car buyers wanting more information.” The data also included loan inquiries, finance, and vehicles for sale, with IP addresses of visitors.

198M Car Buyers’ Personal Data Exposed After A Data Breach

The website, DealerLeads.com collects and purchases automobile relevant domains based on search terms used by car buyers. The data breach incident was reported by Fowler and DealerLeads closed public access shortly after the report.

According to Fowler, “it is unclear if DealerLeads has notified individuals, dealerships, or authorities about the data incident, and as a result, potential customers may not know if their data was exposed.”

Part of the security measures of the Federal government is for companies to report a data breach to its customers and the authorities. This can help customers prepare for any privacy and security damages, and for the authorities to investigate the matter.


Technical Misconfiguration Issue

For experts, the problem here is considered a technical misconfiguration issue, that roots from the lack of security culture in some websites and database. Because DealerLeads.com is a public cloud-based data, the security precaution must be established and effective protection is necessary.

Forbes reports that simple fundamental security policies must be implemented to reduce risks. Senior security strategist, Jonathan Knudsen said, “All that was needed was a simple policy that every internet-facing system needs password protection, data encryption, or other fundamental protections.”

For Cybereason chief information security officer Israel Barak, the breach highlights the importance of adversaries in preventing attackers. “The vast attack surface is extremely difficult to defend, and when databases are left exposed in the manner that is being reported, it doesn’t take a lot of ingenuity or creativity for the adversary to stay one step ahead of defenders,” added Barak.

DealerLeads was founded in 2015 and is dubbed as the highest converting vendor in the automotive industry.