The unsecured AWS S3 cloud storage bucket containing SVR Tracking data was discovered by experts at Kromtech Security Center.The SVR Tracking service allows its customers to track their vehicles in real time by using a physical tracking device hidden in the vehicles.

A few hours ago Verizon data was leaked online, and last week a similar incident affected the entertainment giant Viacom , in both cases data were found on an unsecured Amazon S3 server.

The incident potentially exposes the personal data and vehicle details of drivers and businesses using the SVR Tracking service.

Another day, another data breach to report, login credentials of more than half a million records belonging to vehicle tracking device company SVR Tracking (aka Stolen Vehicle Records Tracking) have been leaked online.

The S3 bucket contained details of roughly 540,000 SVR accounts, including email addresses and passwords, as well as users’ vehicle data, such as VIN (vehicle identification number) and the IMEI numbers of GPS devices.

The exposed archive also includes information where the tracking device was hidden in the car.

“The repository contained over a half of a million records with logins / passwords, emails, VIN (vehicle identification number), IMEI numbers of GPS devices and other data that is collected on their devices, customers and auto dealerships. Interestingly, exposed database also contained information where exactly in the car the tracking unit was hidden.” reads the blog post published by Kromtech.

Experts highlighted that leaked passwords were protected by the weak SHA-1 hashing algorithm that was easy to crack.

“The experts discovered a Backup Folder named “accounts” contained 540,642 ID numbers, account information that included many plate & vin numbers, emails, hashed passwords, IMEI numbers and more. ” continues the analysis.

It includes also:

116 GB of Hourly Backups

8.5 GB of Daily Backups from 2017

339 documents called “logs” that contained data from a wider date range of 2015-2017 UpdateAllVehicleImages, SynchVehicleStatus, maintenance records.

Document with information on the 427 dealerships that use their tracking information.

Since archive also included the position of the vehicles for the past 120 days.

The overall number of devices could be greater because many of the resellers or clients had large numbers of devices for tracking.

Kromtech reported the discovery to the SVR that promptly secured it. However, it is unclear whether the publicly accessible data was possibly accessed by hackers or not.

At the time, it is not clear if hackers accessed the data while they unsecured online.

Pierluigi Paganini

(Security Affairs – SVR Tracking, data leak)