The personal data of millions of American car owners who have signed up to the roadside assistance program provided by the firm drivesure is available online after a cybercriminal unlawfully hacked the company and dumped multiple sources of its databases on forums for hackers. A researcher from the security vendor Risk Based Security discovered the databases on raidforums cracking forums that were due to expire in the month of March and informed Drivesure of the issue this week. The databases contain names, deals with the volume of cellular phone calls and electronic mails, as well as information on customers’ vehicles which includes their produce, model and VIN number along with service records and damage claims. The breach also included 93,000 bcrypt passwords, which are used to protect data that is stored by secure applications. These passwords are possible to be manipulated if an attacker is able to run scripts for days on them.

Drivesure is a company that assists car dealerships in building loyalty to their customers by using data about their interactions with customers. The company is based in Illinois and focuses on employee retention as well as consumer training programs, among other things.

Thompson exploited the vulnerability in the cloud firewall configuration to circumvent security measures at the company and access folders and data buckets. She then uploaded her stolen data on GitHub, and slowly changed the information as she continued to hack. The question of whether she was trying to make money from the attack is unclear. Other high-profile targets have also been hit over the past few weeks, including unemployment claimants in Washington state, who were found by a security breach involving an external software application employed by the auditor and employees of air charter company Solairus Aviation.