Nearly 15,000 accounts raided at automaker sites to harvest vehicle IDs, report says

Cybercriminals appear to have deployed bots to break into customer accounts at several large automakers, then harvested important information about thousands of individual vehicles and offered it for sale in private Telegram channels, researchers said Tuesday.

The evidence suggests the hackers used automated account takeover (ATO) techniques to “access to personal information as well as vehicle data such as car make, model, registered user, address, and vehicle identification number (VIN),” the report from cybersecurity firm Kasada said.

The researchers did not name the automakers, but said one is based in Europe and the other two are in the U.S. A representative of Kasada told Recorded Future News that the company contacted the automakers about its findings.

About 15,000 accounts were for sale for about $2 per account, Kasada said, warning that the VINs in particular could be useful for fraud.

“In addition to enabling identity theft, it also provides information for criminals to target theft of particular car makes and models, register stolen vehicles, and take over GPS-enabled mobile apps,” the report said.

The researchers verified the data, including the VINs, the Kasada representative said.

The researchers suspect the account information was captured in a multi-step process.

First, bots were loaded with login information stolen from other everyday sites. The assumption is that because people often reuse passwords across the web, they sometimes can be repurposed for credential stuffing, or the process of trying logins in bulk until some of them work.

After the bots successfully broke into an account, they collected useful information and exfiltrated it to servers controlled by the hackers — the ATO part of the process.

Kasada pays close attention to illicit bots, warning recently of those that enable prescription drug scams and others that try to undercut retailers around the holidays.

Other reported targets of credential stuffing attacks have included grocery and food delivery services, sports betting platforms and even a password-managing app and a cybersecurity company.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

Joe Warminsky

Joe Warminsky is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.