- Hasan Minhaj explains why your internet sucks in ‘Patriot Act’ episode, puts it on DVD Monday 8:41 PM
- Hackers got control of Dylan Sprouse’s Twitter account, posted offensive content Monday 7:38 PM
- Twitch is suing the trolls who flooded the platform with porn and Christchurch shooting footage Monday 6:55 PM
- Cat filter turns Pakistani politicians’ press conference into frisky business Monday 6:12 PM
- Couple calls for boycott of dog walker app Wag! after their dog was abducted Monday 5:07 PM
- Trump gets banned from SeekingArrangement because he’s not a ‘real sugar daddy’ Monday 4:17 PM
- InfoWars accidentally sent child porn to lawyers representing Sandy Hook parents Monday 4:12 PM
- Sticker warns men changing diapers about ‘feminization of the American male’ Monday 4:10 PM
- The genius way Genius caught Google allegedly stealing lyrics Monday 3:03 PM
- This bubble tea challenge is a balancing act Monday 2:15 PM
- Laura Dern gifts the internet with more ‘Big Little Lies’ memes Monday 1:54 PM
- The Stonks meme is back—and it’s weirder than ever Monday 1:27 PM
- Video shows officer threatening to shoot pregnant Black woman in front of her children Monday 1:12 PM
- Netflix’s ‘Leila’ tells a familiar dystopian horror story Monday 12:37 PM
- O.J. Simpson says in Twitter video that he never slept with Kris Jenner Monday 12:06 PM
Photo via Lukatme/Shutterstock.com (Licensed)
The leaked files contained full names, addresses, FICO credit scores, and partial Social Security numbers.
A data breach at a California-based auto lending company left exposed the personal information of at least half a million customers—and potentially more than a million.
Kromtech Security Researchers discovered the repository online this week and identified the owner as Alliance Direct Lending Corporation, an automotive finance company whose website promotes its use of encryption to protect customer details. According to Kromtech, however, out of the roughly 1,000 files contained in the repository, more than 200 were not secured.
The researchers discovered what appears to be customer purchase information, including full names, addresses, FICO credit scores, vehicle information, and the last four digits of Social Security numbers. Additionally, several audio recordings were leaked of conversations between the customers and lenders, both in Spanish and English—the “consent calls” included the customers’ names, dates of birth, Social Security numbers, and phone numbers.
The data, which was publicly accessible, was contained on an Amazon AWS S3 bucket (a cloud storage device).
While Kromtech was able to locate these files online with relative ease, it remains unclear whether the data was accessed by anyone else—including anyone with criminal intent—before the breach was resolved. It’s also unclear for how long the data could be accessed by anyone online. According to Kromtech, the properties on the storage device show that it was last modified on Dec. 29, 2016.
“The IT administrator claimed that [the data] had only recently been leaked and was not up for long,” said Bob Diachenko, a Kromtech security researcher.
“The danger of this information being leaked is that cyber criminals would have enough to engage in identity theft, obtain credit cards, or even file a false tax return,” continued Diachenko. “Alliance Direct Lending is based in California where the law requires notification of a breach when a California resident’s unencrypted personal information is compromised. California was the first state in the U.S. to require notification of security breaches.”
The auto lender is the second data breach publicly reported by Kromtech this week. The first was at an online futures trading brokerage called AMP, which left exposed thousands of customer details, including credit reports, passport scans, and customer chatlogs. The leak, caused by a misconfigured backup storage device, was secured shortly after Kromtech reached out to the company.
Earlier this month, Kromtech discovered a massive data breach at Schoolzilla, a U.S.-based data warehouse that held information on more than a million K-12 students in the United States. The breach reportedly included a slew of test scores and social security numbers. The leaky device was secured within 24 hours of Kromtech’s notification.
Dell Cameron was a reporter at the Daily Dot who covered security and politics. In 2015, he revealed the existence of an American hacker on the U.S. government's terrorist watchlist. He is a co-author of the Sabu Files, an award-nominated investigation into the FBI's use of cyber-informants. He became a staff writer at Gizmodo in 2017.