Automotive Retailer DB Config Error Leaks 1.2M Customer Records
Take action: Exposing your database without a password on the internet is a huge problem. Taking three weeks to secure the exposed database that after being informed through responsible disclosure is just sad.
Learn More
SimpleTire - a popular automotive tire retailer has experienced a database configuration error that exposed approx 1TB of data, including personal information of customers.
SimpleTire claims to have a vast network of over 10,000 installers and more than 3000 independent supply points.
The non-password protected database which was publicly accessible was detected by a security researcher who attempted to inform SimpleTire about the issue by sending "multiple email notices," intending to responsibly disclose his findings. Unfortunately the issue remained active for more than three weeks before proper security measures were finally implemented to restrict access.
The duration of the database's public exposure prior to the discovery remains unclear.
The SimpleTire database contained over 2.8 million records, including 1.2 million order confirmation PDFs containing personally identifiable information (PII) of customers. The exposed PII encompassed customer names, phone numbers, and billing addresses. Additionally, the order records contained partial credit card numbers and expiry dates.
The leak raises concerns about social engineering attacks if hackers had managed to gain access to the compromised database. Malicious actors could contact the victims, posing as SimpleTire or one of its installers, and deceive customers into updating their payment details using the leaked details of the purchases to create a convincing back-story.
