Suzuki accidentally posted sensitive data online

Recently, portal researchers cybernews discovered that Suzuki was leaking sensitive data online. The websites of two authorized dealers located in Brazil and Bahrain were vulnerable to cyberattacks. It is not clear how confidential customer information, passwords and secret business management tokens were made public.

Obviously, purchasing a car is a complex process involving loans, insurance, general documentation, and various types of contracts. All data remains with the dealer, including information that a particular person became the owner of the car. This fact alone can attract the attention of criminals. Dealer bases that do not provide adequate protection pose a serious threat to the safety of customers.

For those who can afford an expensive branded car, the threat is especially relevant. The information gathered by companies like Suzuki is very valuable in hacker forums. Official contacts of buyers and access to the SMTP (Simple Mail Transfer Protocol) server allow attackers to conduct phishing campaigns more effectively. In the case of two Suzuki dealers, hackers could attack customers directly.

The SMTP credentials would allow attackers to send malicious emails to suzukiveiculos.com.br and suzukibahrain.com users from Suzuki’s official mailbox.

Suzuki Motor Corporation is the tenth largest automaker in the world with a net worth of $17.6 billion. Brazilian dealer Suzukiveiculos.com.br is owned by Hpe Automatores Do Brasil, which controls the production of 120,000 vehicles a year, mainly Mitsubishi and Suzuki models. The company claims to have over 2,500 direct and indirect employees.

Critical information was found on a Brazilian site in an unprotected form: data for accessing the GoChache content delivery network, MySQL database information, information for accessing the mail server (SMTP) and secret keys necessary for the operation of the web application itself.

The second website is owned by Suzuki Bahrain, the only Suzuki dealer in the country. Administrators have left Laravel’s application key, base, and SMTP credentials unprotected.

Despite the fact that the vulnerabilities were quickly fixed after the request of Cybernews researchers, site users should now be on their guard.

“Users should keep track of their email and credit history to make sure no new accounts have been created with their details,” the experts advise.

If possible, it is recommended that you change your My Suzuki passwords and set up two-factor authentication, as well as review your email addresses, phone numbers, and car numbers.