Jeremiah Fowler, a researcher at Security Discovery,
made a security discovery found that 198 million records from Dealer Leads were exposed to the public in a non password protected database.
The exposed data is comprised of names, email addresses, phone numbers, physical addresses, IP addresses and identifiable information, including data purchased from other venders. Fowler says he discovered the non-password protected database containing 413GB of data totaling 198 million records several weeks before he was able to identify and contact the owner
After investigation he noticed a lot of websites listed in the database appeared to be a mix of lead generation sites and smaller dealerships. He said he called several of the websites listed inside the database asking where they purchased their leads but was unable to get a straight answer.
Fowler says he was able to find the owner only by manually reviewing multiple domains and discovering that they all linked back to dealerleads.com. He reported the databases visibility to Dealer Leads on August 19th and contacted them the following day by phone. To their credit, Dealer Leads acted quickly in restricting access to this database after Fowler informed them of the breach.
The data was available online publicly for an unknown amount of time. It is still unclear if Dealer Leads is notifying individuals or dealerships impacted by the breach.