Despite the fact that the cat majority of groups invest in the highest standards of training and security measures so that they can safeguard they databases from cybercriminals, breaches still happen exposing vast amounts of protected information.

Recently cybercriminals illegally obtained more than 3.2 million data records from DriveSure, a training site used to help car dealerships sell and retain customers. This data had been stored on company’s MySQL database, meaning that credentials for the site and many others were publicly exposed to anyone who can get hold of the information in question.

DriveSure is has millions of customers that subscribe for  training and course material. These customers handed over their complete names, addresses, phone numbers, emails, vehicle VIN numbers, service records, and damage claims among many other pieces of information. Large corporate accounts and military addresses were also impacted as part of the breach.

Previously in 2021, experts discovered that this information had been published on a number of hacking forums. While the majority of cybercriminals sell data like this for a profit, in this case that hackers did not seem interested in making money. Instead the hacker made the entire database of stolen data available for free and without request for any money.

The attacker’s motive remains unclear, but the data was made available free of charge on many hacking forums. This made the data freely available to anyone who was able to locate the files online. As more people downloaded the files, the data became available to more people on other sites. Any user who subscribed to DriveSure needs to now amend their passwords.

Apart from the private sensitive data available, the individual responsible for the DriveSure breach made over 93,000 bcrypt hashed passwords available for download. In a secure application, the developer saves a password as a hashed value with a salt to make it more difficult to figure out. The bcrypt function is standard for hashing passwords, so DriveSure used a cryptographically secure way to hold passwords. Even if a password is cryptographically secure, downloaded passwords can be brute forced for a longer period of time when nothing is in place to restrict the number of attempts. Weak passwords can be brute forced even when stored as a cryptographically secure hash.

The problem with having hashed passwords available is that a hacker can spend days running scripts against all of them. Any poor passwords can be brute forced, and many users employ the same password across multiple sites. Since email addresses are also available, an attacker will use scripts to take over accounts across multiple sites using the same passwords stolen from the DriveSure site. This gives a hacker access to any account that uses the same password over a number of different sites including the DriveSure site.

The company encrypted the data that should be according to compliance standards, but much of the data is available in plaintext.

Email filters could have blocked the spoofing attacks so that the leaked database was unable to be used against the organization in a phishing attack. Additionally, sers should have been informed that it is unacceptable  to use the same password across several accounts to avoid problems in future.