On Friday, Volkswagen disclosed a data breach that it said affected 3.3 million customers and interested buyers. On Monday, hackers put the data stolen from the car maker on sale on a notorious hacking forum.
In the sales listing reviewed by Motherboard, a hacker that goes by 000 wrote that the data included email addresses and Vehicle Identification Numbers (VIN). The hacker also posted two samples of the data, which included full names, email addresses, mailing addresses, and phone numbers.
Volkswagen said that “the majority” of affected data included: “first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color and trim packages.” But for 90,000 victims, the data also included “more sensitive information relating to eligibility for a purchase, loan, or lease.
Nearly all of the more sensitive data (over 95%) consists of driver’s license numbers,” according to the company, which added that the majority of data pertains to Audi customers and interested buyers in the US and Canada only. The company also said it believes the data was left unsecured by a vendor. (Audi is owned by the Volkswagen Group.)
“There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers,” the website read.
The hacker said she is asking between $4,000 and $5,000 for the whole database.
The company added that it believes “the data was obtained when the vendor left electronic data unsecured at some point between August 2019 and May 2021, when the source of the incident was identified.” The company did not identify the vendor responsible for the breach, saying only that it is used by Audi, Volkswagen, and some authorized dealers.
The company added that the stolen data ranged from 2014 until 2019, and that it is notifying all victims.