News

21,000 U.S. driver licenses up for sale on hacker forum after data breach

A threat actor has put up over 21,000 U.S. driver licenses for sale on a hacker forum after a data breach.

The seller also told Security Report that they had over 2,000 credit reports and credit application forms containing sensitive customer information, such as names, dates of birth, SSNs, addresses, credit history, and vehicle purchase information.

These documents were allegedly obtained from a vulnerable server belonging to a lending company.

Update: added statement below from the lending company who has, thus far, not found any evidence of data breach.

Thousands of U.S. driver licenses, SSNs, credit reports stolen

This week, a threat actor has put up copies of over 21,000 Californian driver licenses for sale on a hacker forum. These copies were allegedly stolen from an online lending, identity verification, and finance solutions company.

Forum post where over 21,000 U.S. driver licenses have been put up for sale

The seller who goes by alias Janus666 told Security Report that they had exactly 21,230 driver licenses, and 2,118 credit reports available for sale, obtained from a server they managed to breach sometime last week.

The credit reports/credit application forms expose sensitive information including customer names, dates of birth, SSNs, addresses, credit history, and vehicle purchase information.

While a majority of the driver licenses and credit reports are associated with residents of California, a small number of samples shared with us represent U.S. residents of some other regions as well.

“The drivers licenses are mostly of California, however there are some [from] Washington, Illinois, Arizona, Florida, Iowa, Nebraska, Minnesota, Michigan, Mexico*, Georgia, Colorado, Nevada, New Jersey, New York, Ohio, Pennsylvania, Texas, Tennessee. But these are in small numbers,” the seller told Security Report.

(*It isn’t clear if the threat actor meant “New Mexico” or Mexico)

Alon Gal, co-founder, and CTO of cybercrime intelligence firm Hudson Rock, who had first spotted and tweeted about this forum post said stolen driver license data could be abused by adversaries looking to conduct different kinds of frauds and identity theft.

The seller told Security Report, although they hadn’t set a fixed price on the data set, they did manage to sell driver licenses at least once, charging $400 for 10,000 copies.

Security Report also reviewed the sample set of Californian driver licenses posted by the seller on the forum. After researching public records, we observed that the details in the licenses represented real persons.

California Department of Motor Vehicles (DMV) did not respond to our request for comment when asked if the department will take any steps to notify the impacted drivers.

Documents allegedly stolen from a lending company

Security Report attempted to trace the source of this data breach, and how were these files obtained by the threat actor.

Although the threat actor did not comment on what vulnerability or weakness was exploited to obtain the credit reports and driver’s licenses, they claim that eLEND Solutions is the company where they obtained these files from. Furthermore, these files were allegedly uploaded by car dealerships across the U.S. to eLEND’s systems.

The copies of stolen credit reports seen by Security Report have URLs printed on the footer of every page and start with extranet.dealercentric.com:

A sample credit report PDF that stolen from the server

Although this domain belongs to eLEND Solutions, a trading name of DealerCentric Solutions Inc., at the time of our testing, the specific URLs that were expected to lead to credit reports, instead prompted us with a login screen before granting access. This indicates any improper authorization flaw, should it have existed, is now patched.

Security Report repeatedly reached out to eLEND well in advance for comment but we did not hear back. As such, the source of this data breach remains unconfirmed.

Update – 27-July-2021, eLEND’s IT department has responded with a statement:

When we checked the five purported sample licenses from the download link, I was unable to locate any of these names/license numbers in our system in the past 7 years. We have not been contacted by any threat actor for ransom or otherwise. In addition, the images appear vastly different than the ones we capture using the ID-150 scanner, casting additional doubt on the claims.

According to the reported threat, they claim to have retrieved the images via “an eLEND website” without specifying any details. Our corporate site is fully isolated from any of our data, so it is not possible to have retrieved anything from there. Regarding our platform site, It is not possible to access any data without first authenticating as a valid dealer user via multi-factor authentication. The scope of access is further restricted to the user’s roles and the dealer’s pool of data, making it extremely unlikely that this claim has any validity.

We have not been alerted by our intrusion detection systems of any suspicious activity, so the likelihood of this being a breach of any other kind is highly unlikely as well.

We have initiated an investigation and will advise with any findings once complete; however, at this point in time we are seeing no signs that this is a legitimate claim.

– eLEND’s IT department spokesperson
Ax Sharma

Ax Sharma is an Indian-origin British security researcher, journalist and TV subject matter expert with a focus on malware analysis and cybercrime investigations. His areas of interest include open source software security, threat intel analysis, and reverse engineering. Frequently featured by leading media outlets like the BBC, Channel 5, Fortune, WIRED, The Register, among others, Ax is an active community member of the OWASP Foundation and the British Association of Journalists (BAJ).

Recent Posts

Sea Turtle Cyber Espionage Campaign Targets Telecommunication and IT Companies in the Netherlands

Telecommunication, media, internet service providers (ISPs), information technology (IT)-service providers, and Kurdish websites in the…

11 months ago

Rogue WordPress plugin: Threat hunters uncover credit card skimming campaign targeting e-commerce sites

Rogue WordPress Plugin Found to Steal Credit Card Information in Magecart Campaign Threat hunters have…

11 months ago

Albanian Parliament and telco ‘One Albania’ suffer cyber attacks

The Assembly of the Republic of Albania and telecom company One Albania have recently fallen…

11 months ago

Carbanak Banking Malware Resurfaces with Updated Tactics in Ransomware Attacks

The banking malware Carbanak has resurfaced with updated tactics, incorporating attack vendors and techniques to…

11 months ago

Theme park giant Parques Reunidos hit by a ransomware cyber attack

One of the world's largest theme park operators, Parques Reunidos has disclosed a cybersecurity incident.…

2 years ago

Phishing kit screenshots your email domain on the fly to appear real

Phishing kit used by multiple hacked sites generates a log in page on the fly…

2 years ago

This website uses cookies.