On August 19th I reported a non-password protected database that contained a massive 413GB of data and a total of 198 million records. The most shocking part was that I had seen this dataset several times in the previous weeks, but was unable to identify the owner. It was clear that this was a compilation of potential car buyers wanting more information, loan and finance inquiries, vehicles that were for sale, log data with ip addresses of visitors, and more.
Upon further investigation I noticed that many of the websites appeared to a mix of lead generation sites and smaller possibly independent dealerships. I called several of the websites found inside the database to ask where they purchased their leads and could never get a straight answer, despite informing them of a potential data breach. I spent several days trying to identify the owner of the database and there was no clear indication in the millions of records.
I initially though this database could be a directory, but there would not be such detailed information or back-end records. Another concern wast that there were so many different websites that it almost seemed illogical that they could be owned by one organization. Only by manually reviewing multiple domains did I discover that they all linked back to dealerleads.com. I immediately reached out to them regarding my discovery on Aug 19th.
The following day on Aug 20th I confirmed that the database was still publicly accessible and called Dealer Leads to responsibly notify them of the data exposure, since the emails were unsuccessful. I was able to speak with the General Sales Manager who was concerned and professional with getting the information secured and public access was closed shortly after my notification by phone.
“Dealer Leads, LLC is the culmination of 15 years spent purchasing auto related web domains. Founded in 2015, Dealer Leads provides high volume, high quality website traffic for franchise and independent car dealerships through our exclusive, wholly- owned classified sites and our manufacturer quality Research pages. According to Google Analytics unbiased tracking, DealerLeads is the highest converting vendor in the automotive industry 4 years running” – Dealer Leads LLC, Linkedin
Here is what I discovered that included the following:
- This is a Elastic database set to open and visible in any browser (publicly accessible) and anyone with an internet connection could access the data without administrative credentials.
- Records with names, email, phone, addresses, IP, other sensitive or identifiable information exposed to the public internet in plain text.
- IP addresses, Ports, Pathways, and storage info that cyber criminals could exploit to access deeper in to the network.
Why so many websites?
As someone with an SEO background it was interesting to see that Dealer Leads has created a massive and highly targeted network of websites. All of the content is relevant and related to the auto industry or other specific target keywords and this gives the links more value in Google’s eyes. When those links are pointed at a new domain or a primary domain, it’s value will theoretically skyrocket when that value is passed from site to site.
This also explained why there were so many unique domains inside the database. There is nothing wrong with this method and as we see it is very effective. Google changed their algorithms in 2012 to throw the little guys under the bus, so this is the reason why organizations of every size need complex SEO strategies to compete with Google’s advertising revenue goals.
According to Dealer Lead’s website:
- Domains Matching Search Terms. We solely own all of our thousands of automotive sites. Each site is specifically aimed at a precise buyer demographic or behavioral characteristic. This allows for an unprecedented level of control over who we target.
- The program generates a tremendous number of “Do Follow” backlinks from our classified sites and research pages. You control the anchor text on the links and we give you a link building campaign as a free byproduct of our program. This helps increase the effectiveness of your website and SEO vendors without spending a dime.
Dealer Leads acted fast to restrict public access immediately after the notification. Unfortunately, the data was exposed for an undetermined length of time and it is unclear who else may have had access to the millions of records that were publicly exposed. This is another wake up call for any organization that collects and stores large amounts of data. It is crucial to ensure that the proper safeguards are in place. Data protection and privacy are now becoming a core part of the business landscape and there is a growing shift where more and more people realize that customer data is just as important as the products or services.
It is unclear if Dealer Leads has notified individuals, dealerships, or authorities about the data incident. Because of the size and scope of the network applicants and potential customers may not know if their data was exposed. Also, when contacting a local dealership in their hometown about a specific automobile they may not have known that the website actually collected their data as a lead or that this data could potentially be stored, saved, sold, or shared via DealerLeads.
Dealer Leads LLC is based in Calabasas, California and the service was launched in 2015. The timing of this discovery falls just before The California Consumer Privacy Act goes in effect on Jan 1st, 2020. The law is meant to enhance privacy rights and consumer protection for residents of California and imposes fines and penalties.
As part of our responsible disclosure process we extend our assistance to organizations to help them understand how we discovered the data, any IP addresses used, time ranges, or answering any questions that may help their internal investigation process. This assistance is free of charge and much of the non-consulting research we do is not-for-profit or funded by bug bounties and discovery rewards.