techcrunch.com - Security researcher Eaton Zveare told TechCrunch that the flaws he discovered in the carmaker's centralized dealer portal exposed vast access to customer and vehicle data. With this access, Zveare said he could remotely take over a customer's account and unlock their cars, and more.
A security researcher said flaws in a carmaker’s online dealership portal exposed the private information and vehicle data of its customers, and could have allowed hackers to remotely break into any of its customers’ vehicles.
Eaton Zveare, who works as a security researcher at software delivery company Harness, told TechCrunch the flaw he discovered allowed the creation of an admin account that granted “unfettered access” to the unnamed carmaker’s centralized web portal.
With this access, a malicious hacker could have viewed the personal and financial data of the carmaker’s customers, tracked vehicles, and enrolled customers in features that allow owners — or the hackers — to control some of their cars’ functions from anywhere.
Zveare said he doesn’t plan on naming the vendor, but said it was a widely known automaker with several popular sub-brands.
In an interview with TechCrunch ahead of his talk at the Def Con security conference in Las Vegas on Sunday, Zveare said the bugs put a spotlight on the security of these dealership systems, which grant their employees and associates broad access to customer and vehicle information.
Zveare, who has found bugs in carmakers’ customer systems and vehicle management systems before, found the flaw earlier this year as part of a weekend project, he told TechCrunch.
He said while the security flaws in the portal’s login system was a challenge to find, once he found it, the bugs let him bypass the login mechanism altogether by permitting him to create a new “national admin” account.
The flaws were problematic because the buggy code loaded in the user’s browser when opening the portal’s login page, allowing the user — in this case, Zveare — to modify the code to bypass the login security checks. Zveare told TechCrunch that the carmaker found no evidence of past exploitation, suggesting he was the first to find it and report it to the carmaker.
When logged in, the account granted access to more than 1,000 of the carmakers’ dealers across the United States, he told TechCrunch.
“No one even knows that you’re just silently looking at all of these dealers’ data, all their financials, all their private stuff, all their leads,” said Zveare, in describing the access.
Zveare said one of the things he found inside the dealership portal was a national consumer lookup tool that allowed logged-in portal users to look up the vehicle and driver data of that carmaker.
In one real-world example, Zveare took a vehicle’s unique identification number from the windshield of a car in a public parking lot and used the number to identify the car’s owner. Zveare said the tool could be used to look up someone using only a customer’s first and last name.
With access to the portal, Zveare said it was also possible to pair any vehicle with a mobile account, which allows customers to remotely control some of their cars’ functions from an app, such as unlocking their cars.
Zveare said he tried this out in a real-world example using a friend’s account and with their consent. In transferring ownership to an account controlled by Zveare, he said the portal requires only an attestation — effectively a pinky promise — that the user performing the account transfer is legitimate.
“For my purposes, I just got a friend who consented to me taking over their car, and I ran with that,” Zveare told TechCrunch. “But [the portal] could basically do that to anyone just by knowing their name — which kind of freaks me out a bit — or I could just look up a car in the parking lots.”
Zveare said he did not test whether he could drive away, but said the exploit could be abused by thieves to break into and steal items from vehicles, for example.
Another key problem with access to this carmaker’s portal was that it was possible to access other dealer’s systems linked to the same portal through single sign-on, a feature that allows users to log in to multiple systems or applications with just one set of login credentials. Zveare said the carmaker’s systems for dealers are all interconnected so it’s easy to jump from one system to another.
With this, he said, the portal also had a feature that allowed admins, such as the user account he created, to “impersonate” other users, effectively allowing access to other dealer systems as if they were that user without needing their logins. Zveare said this was similar to a feature found in a Toyota dealer portal discovered in 2023.
Hackers leak data of 88 million AT&T customers with decrypted SSNs; latest breach raises questions about links to earlier Snowflake-related attack.
Hackers have leaked what they claim is AT&T’s database which was reportedly stolen by the ShinyHunters group in April 2024 after they exploited major security flaws in the Snowflake cloud data platform. But is this really the Snowflake-linked data? We took a closer look.
As seen by the Hackread.com research team, the data was first posted on a well-known Russian cybercrime forum on May 15, 2025. It was re-uploaded on the same forum on June 3, 2025, after which it began circulating among other hackers and forums.
After analyzing the leaked data, we found it contains a detailed set of personal information. Each of these data points poses a serious privacy risk on its own, but together, they create full identity profiles that could be exploited for fraud or identity theft. The data includes:
Full names
Date of birth
Phone numbers
Email addresses
Physical addresses
44 Million Social Security Numbers (SSN) (43,989,219 in total)
The compliance company said the customer data exposure was caused by a product change.
ompliance company Vanta has confirmed that a bug exposed the private data of some of its customers to other Vanta customers. The company told TechCrunch that the data exposure was a result of a product code change and not caused by an intrusion.
Vanta, which helps corporate customers automate their security and compliance processes, said it identified an issue on May 26 and that remediation will complete June 4.
The incident resulted in “a subset of data from fewer than 20% of our third-party integrations being exposed to other Vanta customers,” according to the statement attributed to Vanta’s chief product officer Jeremy Epling.
Epling said fewer than 4% of Vanta customers were affected, and have all been notified. Vanta has more than 10,000 customers, according to its website, suggesting the data exposure likely affects hundreds of Vanta customers.
One customer affected by the incident told TechCrunch that Vanta had notified them of the data exposure. The customer said Vanta told them that “employee account data was erroneously pulled into your Vanta instance, as well as out of your Vanta instance into other customers’ instances.”
A security researcher who assisted with the deal says he believes the only copy of the complete dataset of call and text records of “nearly all” AT&T customers has been wiped—but some risks may remain.
The security firm said the attacks targeting Snowflake customers is "ongoing," suggesting the number of affected companies may rise.
The online criminal bazaar BreachForums has been resurrected merely two weeks after a U.S.-led coordinated law enforcement action dismantled and seized control of its infrastructure.
Cybersecurity researchers and dark web trackers Brett Callow, Dark Web Informer, and FalconFeeds revealed the site's online return at breachforums[.]st – one of the dismantled sites – by a user named ShinyHunters, who has since offered for sale a 1.3 TB database containing details of allegedly 560 million Ticketmaster customers for $500,000.
Between 2019 and 2022, groups of Tesla employees privately shared via an internal messaging system sometimes highly invasive videos and images recorded by customers’ car cameras.
What Happened On March 29, 2023, Falcon OverWatch observed unexpected malicious activity emanating from a legitimate …
