Honda leaked personal information of 50,000 Customers from its Honda Connect App

Honda Car India has left the personal details of over 50,000 users exposed on two public Amazon S3 buckets, according to a report published today Kromtech Security.

The two AWS buckets contained the personal details of users who downloaded and installed Honda Connect, a mobile app developed by Honda Car India.

Honda Connect is your typical remote car management app, which allows users to interact with their Honda smart cars, but also to contract and interact with services provided by Honda Car India.

S3 buckets leaked names, passwords, car VINs, more

As such, across time, the app had collected and stored vasts amounts of personal data about Honda India’s customers and their respective cars.

Bob Diachenko, the Kromtech security researcher who found the exposed S3 buckets and contacted Honda, says the servers contained the following types of user and car information:

  • Names
  • User gender
  • Phone numbers for both users and their trusted contacts
  • Email addresses for both users and their trusted contacts
  • Account passwords
  • Car VIN
  • Car Connect IDs, and more
S3 buckets had been leaking for at least three months

But Diachenko wasn’t the first to discover Honda India’s S3 buckets. Diachenko says that when he came across the exposed buckets, they already contained a file named poc.txt with the following message.

This is an automated file created by a security researcher named Robbie Wiggins. For almost a year now, Wiggins has been scanning the Internet for AWS S3 buckets with incorrect permissions and leaving this message on unsecured servers. Wiggins has been doing this to warn server owners and urge them to secure servers before someone hijacks or ransoms their data.

Diachenko says the timestamp on Wiggins’ file was February 28, 2018, three months and one day ago.

“Honda Car India didn’t even notice that a security researcher added a note to their buckets,” Diachenko noted. “There is no excuse for that, it clearly illustrates that they are simply running on auto-pilot with no monitoring at all.”

The Kromtech researcher has, in the meantime, personally notified Honda Car India about their leaky S3 buckets, which are now secured. Nonetheless, the process wasn’t easy. Diachenko said that it took almost two weeks to get in contact with the company and have it secure its users’ data.

Read Also: Several Security Flaws Hits BMW Cars

Credit: BleepingComputer

CEH Course In pune | Slink

Jai Prajapati

Jai Prajapati is a security analyst and author for Securityleaks, where he passion for covering latest happening in cybersecurity world such as malware, breaches, vulnerabilities, exploits, white-papers, hacking newsbytes, Dark Web, hacking tutorials and a few more.

Leave a Reply

Your email address will not be published. Required fields are marked *