Used cars? Try used car accounts: 15,000 up for grabs online at just $2 a pop

Researchers have found almost 15,000 automotive accounts for sale online and pointed at a credential-stuffing attack that targeted car makers.

The team at Kasada did not name the car manufacturers in question, only saying that the first 10,000 accounts "targeted a single, large European automotive manufacturer with motorists and vehicles residing within the US."

Researchers discovered the stolen accounts in a private group on OTT app Telegram, which soon expanded to include accounts from two major US car makers, bringing the total number for sale to nearly 15,000.

And the price? $2 per account. Significantly, the VIN (vehicle identification number) was included in the sale. This represented the first time the Kasada team had seen such information available for purchase.

While purchasing personal information has long been possible, getting hold of a car's identity represents a new avenue toward profit for criminals.

A VIN can be used to create replica license information that can then be applied to stolen cars; it can be used for nefarious registration purposes and, in some cases, to connect to a car maker's mobile app to unlock a vehicle or perform other activities.

All manner of fraud is also possible, including loan fraud – where criminals might use the information to tie a loan to a car – or identity fraud, where the VIN and stolen account credentials are used to reset a car account from where information such as the names of drivers, phone numbers, and physical address can be extracted.

• BMW deems drivers worthy of warmth, ends heated car seat subscription
• Power grids tremble as electric vehicle growth set to accelerate 19% next year
• Nikola recalls electric truck fleet over battery fires
• Ford SYNC 3 infotainment vulnerable to drive-by Wi-Fi hijacking

As Reg readsers know, a credential-stuffing attack occurs when criminals use automation to log into accounts with stolen credentials. The method exploits users' habit of reusing the same password over multiple sites. The team at Kasada said: "A small percentage of the stolen credentials 'work' and allow the attacker to successfully take over accounts with legitimate login credentials."

Once in, the process of extracting information, such as the vehicle make, model and VIN, is also automated to speed things along.

The research comes a week after Mozilla declared cars from 25 automakers "data privacy nightmares on wheels." Kasada's findings demonstrate that as well as understanding the data being collected by cars, customers should also be wary of account configuration at car makers.

Kasada noted that credential-stuffing attacks affected all industries due to customers reusing passwords. Not helping is the appearance of services such as AI-enabled CAPTCHA bypasses to help criminals dodge anti-bot detection.

Solutions include customers considering password managers to prevent password reuse or implementing multi-factor authentication (MFA) on accounts. While the latter is not a silver bullet, it does make things more challenging for attackers. ®