Hackers Are Selling Data Stolen From Audi and Volkswagen

On Friday, Volkswagen disclosed a data breach that it said affected 3.3 million customers and interested buyers. On Monday, hackers put the data stolen from the car maker on sale on a notorious hacking forum.

In the sales listing reviewed by Motherboard, a hacker that goes by 000 wrote that the data included email addresses and Vehicle Identification Numbers (VIN). The hacker also posted two samples of the data, which included full names, email addresses, mailing addresses, and phone numbers. 

The type of data seems to align with what Volkwagen admitted was stolen. In a website set up by a cybersecurity vendor on behalf of the car maker, Volkswagen said that "the majority" of affected data included: "first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color and trim packages." But for 90,000 victims, the data also included "more sensitive information relating to eligibility for a purchase, loan, or lease.

Nearly all of the more sensitive data (over 95%) consists of driver’s license numbers," according to the company, which added that the majority of data pertains to Audi customers and interested buyers in the US and Canada only. The company also said it believes the data was left unsecured by a vendor. (Audi is owned by the Volkswagen Group.) 

"There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers," the website read. 

Motherboard reached out to all the people included in the samples, either via email or phone. Seven of the people contacted confirmed that at least one piece of their data published by the hackers was real. 

Alon Gal, the co-founder and CTO of cybersecurity firm Hudson Rock, alerted Motherboard to the listing. 

A Volkswagen spokesperson shared a statement that addressed the data breach but did not include any information about the sale on the hacking forum. The spokesperson said that "we cannot comment beyond our public disclosures." 

The hacker who's selling the data told Motherboard that it did not contain any Social Security Numbers nor drivers' license information. The hacker said she is asking between $4,000 and $5,000 for the whole database. 

000 said she worked with another hacker who goes by General Badhou3a. 000 explained that she set up a script to scan the internet for exposed Azure blobs, which are essentially data repositories stored in Microsoft's cloud. The hacker said she just created a script that would look for exposed backups by checking for known company domains attached to "blob.core.windows.net," the default URL for Azure blobs.  

"I have a bunch of data just stored," 000 said in an online chat. "From multiple other sources not only Azure blobs."

The hacker said she obtained the data in March. Volkwagen said that it was alerted of the breach on March 10 of this year. The company added that it believes "the data was obtained when the vendor left electronic data unsecured at some point between August 2019 and May 2021, when the source of the incident was identified." The company did not identify the vendor responsible for the breach, saying only that it is used by Audi, Volkswagen, and some authorized dealers. 

The company added that the stolen data ranged from 2014 until 2019, and that it is notifying all victims. Volkswagen said it is sending emails or letters to the victims, offering free credit monitoring and alerting them that they may receive phishing attacks using the information stolen.  Volkswagen said it’s offering free credit only tho the approximately 90,000 victims who had more sensitive data stolen.

UPDATE, 06/17/2021, 9:51 a.m. ET: This story was updated to clarify that the victims are only in the US and Canada, and that Volkswagen is only offering free credit monitoring to around 90,000 of the total victims.

Joseph Cox contributed reporting.

Subscribe to our cybersecurity podcast, CYBER.