Honda is hacked; personal details of more than 976 million customers leaked

As a result of a recent massive data breach involving about 976 million records, nearly one million files were exposed in a Honda automotive company database, which contained various details about thousands of vehicles and their owners, as reported by web application security specialists.

The report mentions that it was not necessary to enter a password or any other authentication method to access the compromised database, so it was completely exposed to any user.

Bob Diachenko, renowned web application security researcher and expert, dedicated to the search of compromised information exposed in public Internet, was in charge of reporting the incident, after identifying an unprotected Elasticsearch cluster, which stored 976 million records, all belonging to Honda in North America.

Diachenko mentions that the database would have been exposed for at least a week, long enough for any threat actor to access, copy and store the information for malicious purposes.

Personal details exposed during the incident include:

  • Full names
  • Addresses
  • Phone numbers
  • Email addresses
  • Make and model of the vehicle
  • Number of vehicle plates
  • Records on maintenance services

Web application security firms have previously reported similar incidents due to omissions by Honda staff. According to Chris DeRamus, from DivvyCloud security firm: “In January 2019 it was detected data breach that compromised information belonging to the automotive company. The database was completely exposed,” the expert said.

Incorrect security configurations when enabling a database are the primary cause of information exposure incidents, as it is estimated that more than half of these incidents could be avoided if the staff in charge of managing these incidents implementations will enable appropriate measures.

However, the features inherent in this class of implementations lead to user ignorance, so security best practices, even if they exist and are ready to be enabled, will not be used, since users ignore they are even available, say web application security specialists.

Specialists from the International Institute of Cyber Security (IICS) believe that preventing these misconfigurations would significantly reduce incidents of database information exposure in any company.