An unprotected Elasticsearch database belonging to Dealer Leads has exposed almost 198 million records containing information about potential car buyers.
What information was involved?
The unsecured database contained a massive 413 GB of data of prospective car buyers. The exposed data includes:
Who is the owner of the database?
A security researcher from Security Discovery discovered the database on August 19, 2019, that was left wide open to the public without any password protection. Upon discovery, the researcher examined the records of the database and noticed that many of the websites linked to the database appeared to be a mix of lead generation sites and smaller independent dealerships.
Later, the researcher contacted several of the websites found inside the database to determine where they purchased their leads. Finally, after manually reviewing multiple domains, the researcher discovered that they all linked back to Dealer Leads.
“I initially though this database could be a directory, but there would not be such detailed information or back-end records. Another concern was that there were so many different websites that it almost seemed illogical that they could be owned by one organization. Only by manually reviewing multiple domains did I discover that they all linked back to dealerleads.com,” the researcher said.
About Dealer Leads
Dealer Leads owns several auto-related web domains and provides high volume website traffic for car dealerships.
“As someone with an SEO background it was interesting to see that Dealer Leads has created a massive and highly targeted network of websites. All of the content is relevant and related to the auto industry or other specific target keywords and this gives the links more value in Google’s eyes,” said the researcher. “This also explained why there were so many unique domains inside the database,” added the researcher.
On August 20, 2019, the security researcher contacted Dealer Leads and notified about the leaky database. Dealer Leads responded quickly and restricted public access to the database immediately after the notification.