After a cybercriminal illegally hack the company and dump multiple databases from the company onto hacking forums, personal information of millions American car owners who subscribed to a roadside service program that drivesure offers is now available online. A researcher at security vendor Risk Based Security spotted the database on the raidforums hacking forum past due last month and informed drivesure of the issue this week. The databases contain names, addresses cell phone volume, electronic mails. They also include information on vehicles of customers, which includes their model, production and VIN numbers, along with service records and damage claims. The breach also contained 93,000 bcrypt hashed passwords which are usually used to protect data stored by a secure application. However, these passwords could be manipulated by brute force if a bad actor spends days running scripts against them.

Drivesure is a service provider which assists car dealerships to build loyalty to their customers by using data about their interactions with customers. The Illinois-based company concentrates on retention of employees and consumer training programs, among other things.

Thompson exploited a flaw that was unpatched in the cloud firewall configuration to bypass security measures in the company and gain access to directories and data buckets. Thompson then uploaded her stolen data onto GitHub and then gradually updated the information as she continued to hack. It is unclear if she intended to earn money from her hacking. In the last few weeks, other prominent targets were also targeted. They included Washington State unemployment claimants, who were impacted by a security breach that occurred in an external service utilized by an auditor and employees of air charter company Solairus Aviation.