Skip to Content
Security & privacy

Huge data leak exposes 198 million car buyers’ records

If you’ve recently purchased a car, buckle your seatbelt for a potentially bumpy ride. An internet sleuth has discovered that 198 million car buyers’ records were sitting in an unsecured database for anyone to see.

The information contained sensitive car-buyer information. So far, there are no indications that the data was stolen by hackers.

This is the latest example of a company leaving consumer data unsecured on the web. We’ll tell you how this data was exposed, as well as what the database owners have done about the situation.

Dozens of websites included in the leak

Like many data leaks this year, this one was the result of human carelessness.

Last month, Jeremiah Fowler, senior security researcher at, came across an unsecured database containing records with names, emails, phone numbers, addresses, IPs and other sensitive or identifiable information. The information was exposed on the internet in plain text.

Cybercriminals can exploit IP addresses, ports, pathways and storage information to access deeper into the network.

As he tried to track down the owner of the database, Fowler discovered that it contained information from other websites. Thinking at first that it was a directory, Fowler manually reviewed multiple domains and discovered that the websites all linked back to Dealer Leads.


Related: Number skyrockets to 100 million accounts exposed in recent data breach


Luckily, Dealer Leads is not a malicious site. In fact, it’s a digital marketing company created to help small car-dealer franchises generate leads through pinpointed websites Dealer Leads created or bought.

To optimize SEO, the company tracks phrases that are searched anywhere from thousands to over a million times in one month across all search engines. Those terms are then turned into a variety of websites with SEOs to match those search terms. These sites capture users at all stages of the buying funnel.

It’s a way to give the little guy a chance after Google changed its algorithm in 2012. Unfortunately, Dealer Leads’ database was open and visible in any browser, and anyone with an internet connection could access the data without administrative credentials.

Questions about leak remain

While Dealer Leads secured the database not long after being informed by Fowler, three serious questions still remain unanswered:

  • Why was the database not secured?
  • How long had the information been accessible?
  • Did hackers get their hands on any of the information?

Fowler said he could find no answers to those questions. reached out to Dealer Leads for comment but has yet to hear back.

This year, data leaks in which information is exposed usually through user carelessness, and data breaches where information is stolen by hackers are on track to surpass those of 2018.

Earlier this month, 419 million Facebook records were found parked in a server that had no password protection. The records contained users’ phone numbers and their Facebook IDs.

The server is not owned by Facebook, which means the data was scraped. The server held several databases from around the world and exposed 133 million records from Facebook users in the U.S., 18 million from the U.K. and more than 50 million from Vietnam.

In April it was discovered that 540 million Facebook users’ records, including passwords, were exposed publicly on Amazon servers by third-party app developers. Two separate Facebook app data sets were stored in their own cloud server buckets, but both were configured to allow the files to be downloaded by anyone.


Related: Data leak exposes thousands of unencrypted credit card numbers


But by far, the largest number of data exposed by one company is courtesy of First American Financial. What’s worse is that the data was compromised due to the company’s own negligence.

First American Financial, one of the nation’s leading settlement and insurance providers, exposed 800 million records containing sensitive data. A flaw in its database design made critical data visible to anyone using a web browser for more than two years.

Capital One’s servers were hacked, exposing more than 100 million U.S. customers. Data leaked in the security breach contains customer information from credit card applications spanning from 2005 until early 2019.

The information includes personal data such as credit scores, limits, balances, credit history, home addresses, and most importantly, Social Security numbers and bank account numbers.

Protecting yourself from corporate data leaks and breaches

It’s frustrating when you do everything you can to protect your personal information on your home PC and then a company you do business with exposes that same information.

Here are some tips to protect yourself:

  • Change your online account passwords every three months. That means something new and different for each account because if one gets breached, that compromises so much more if you’re using the same password.
  • Be on the lookout for phishing scams. Hackers will create emails pretending to be the affected company in hopes of getting you to click on malicious links. If the email provides a link back to the company, don’t click on it. Type the company’s actual URL on your browser to avoid a spoofed site.
  • Frequently check your bank statements for signs of suspicious activity. If you see anything strange, report it immediately. If you see suspicious activity on your credit cards, call your credit card company and put a freeze on your accounts as soon as possible.
  • Install strong security software not just on your PC but also on your smartphones.

With hackers seemingly always one step ahead of companies’ cybersecurity efforts, don’t be surprised if your personal information is exposed. But, following the tips above, you can always be prepared.

Ask me your digital question!

Navigating the digital world can be intimidating and sometimes downright daunting. Let me help! Reach out today to ask your digital question. You might even be on my show!

Ask Me