forbes.com
By Lars Daniel
Nov 10, 2025
Hyundai is alerting millions of customers about a data breach that exposed Social Security numbers and driver's licenses.
Hyundai is alerting millions of customers about a data breach that exposed Social Security numbers and driver's licenses. The breach, which occurred in February but is only now being disclosed, represents the automotive giant's third major security incident in as many years.
How the Breach Happened
Think of Hyundai AutoEver America, or HAEA, as the digital nervous system for Hyundai, Kia and Genesis operations in North America. This California-based company manages everything from the software that enables remote car features to the computer systems dealerships use to process your purchase.
Between February 22 and March 2 of this year, hackers broke into these systems and roamed freely for nine days before being detected. That’s like a burglar having unsupervised access to a bank vault for over a week. Plenty of time to identify and steal important data.
The company discovered the intrusion on March 1st and says it immediately kicked the attackers out and brought in cybersecurity forensics teams. But the investigation took months, and notification letters are now being sent out to those confirmed to be affected: more than seven months after the attack ended.
What Information Was Stolen
The exposed data includes:
Hyundai AutoEver hasn’t said exactly how many people were affected, but regulatory filings show the breach reached multiple states. The upper limit is potentially massive: HAEA’s systems connect to 2.7 million vehicles across North America.
To put that in perspective, that’s roughly the entire population of Chicago potentially at risk. However, only individuals confirmed to be affected will receive notification letters.
This Keeps Happening to Hyundai
This isn’t Hyundai's first rodeo with hackers.
In early 2024, the Black Basta ransomware gang hit Hyundai Motor Europe, claiming to steal 3 terabytes of data, equivalent to about 750,000 digital photos or five hundred hours of high-definition video. That attack exposed everything from HR records to legal documents across multiple departments.
Before that, in 2023, breaches at Hyundai's Italian and French operations leaked customer email addresses, home addresses, and vehicle identification numbers.
Security researchers have also found serious vulnerabilities in Hyundai and Kia’s smartphone apps that could let hackers remotely control vehicles.
The Modern Car Is a Computer on Wheels
Here's what makes automotive breaches particularly concerning: Your car isn't just transportation anymore. It's a rolling data center.
Modern vehicles collect and transmit information constantly:
Where you drive and when
Your home and work addresses
How fast you accelerate and brake
When you service your vehicle
Your purchase and financing details
When hackers breach the IT provider managing this digital ecosystem, they don’t just get your Social Security number. They potentially access a comprehensive profile of your life and habits. It’s like the difference between someone stealing your wallet versus breaking into your phone. The phone contains exponentially more information about you.
What You Should Do Right Now
If you own or lease a Hyundai, Kia, or Genesis vehicle:
Immediate Actions:
Check your credit reports for unauthorized accounts or inquiries. You can get free reports at AnnualCreditReport.com
Monitor bank and credit card statements weekly for suspicious charges
Enable transaction alerts on your financial accounts
If You Receive a Notification Letter:
Enroll in the free credit monitoring within 90 days using the unique code provided
The service runs for two years and monitors all three credit bureaus
Call the dedicated hotline at 855-720-3727 with questions
For Everyone, Breached or Not:
Consider a credit freeze with Equifax, Experian and TransUnion. This prevents identity thieves from opening new accounts in your name
Enable fraud alerts which require creditors to verify your identity before issuing credit
Watch for phishing scams exploiting breach news. Hyundai will never ask for your Social Security number or payment information via email
The Uncomfortable Truth About Data Breaches
Data breaches have become depressingly routine. In 2024 alone, major incidents hit healthcare providers, retailers, financial institutions, and now automotive companies joining the list with alarming frequency.
But there's something particularly unsettling about automotive breaches. You chose your bank and can switch it. You chose your doctor and can change providers. But if you bought a Hyundai three years ago, you're stuck with their security practices until you sell the vehicle. Your data sits in their systems whether you like it or not.
And unlike a credit card breach where the bank typically covers fraudulent charges, identity theft involving Social Security numbers can create problems that take years to resolve. Victims may discover the theft only when they're denied a loan, receive bills for services they never used, or have their tax returns rejected because someone else already filed using their information.
What Hyundai Is Saying
In its breach notification, Hyundai AutoEver stated: "We regret that this incident occurred and take the security of personal information seriously."
The company says it’s investing in "additional security enhancements designed to mitigate future risk." But given this is the third major breach in three years across Hyundai Motor Group entities, many cybersecurity experts argue the company needs more than enhancements: it needs a fundamental security overhaul.
The automotive industry finds itself caught between competing pressures. Customers want connected features: remote start from their phone, navigation that predicts traffic, software updates that add new capabilities. These features require extensive data collection and cloud connectivity.
But every connection creates a potential vulnerability. Every database becomes a target. And when IT providers centralize services for millions of vehicles, they become high-value targets offering hackers a massive potential payoff from a single breach.
The challenge for automakers isn’t just fixing the specific vulnerabilities that enabled this breach. It’s fundamentally rethinking how they secure the growing mountain of customer data their business models now require.
bleepingcomputer.com
By Lawrence Abrams
November 11, 2025
The Rhadamanthys infostealer operation has been disrupted, with numerous
The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers.
Rhadamanthys is an infostealer malware that steals credentials and authentication cookies from browsers, email clients, and other applications. It is commonly distributed through campaigns promoted as software cracks, YouTube videos, or malicious search advertisements.
The malware is offered on a subscription model, where cybercriminals pay the developer a monthly fee for access to the malware, support, and a web panel used to collect stolen data.
According to cybersecurity researchers known as g0njxa and Gi7w0rm, who both monitor malware operations like Rhadamanthys, report that cybercriminals involved in the operation claim that law enforcement gained access to their web panels.
In a post on a hacking forum, some customers state that they lost SSH access to their Rhadamanthys web panels, which now require a certificate to log in rather than their usual root password.
"If your password cannot log in. The server login method has also been changed to certificate login mode, please check and confirm, if so, immediately reinstall your server, erase traces, the German police are acting," wrote one of the customers.
Another Rhadamanthys subscriber claimed they were having the same issues, with their server's SSH access now also requiring certificate-based logins.
"I confirm that guests have visited my server and the password has been deleted.rootServer login became strictly certificate-based, so I had to immediately delete everything and power down the server. Those who installed it manually were probably unscathed, but those who installed it through the "smart panel" were hit hard," wrote another subscriber.
A message from the Rhadamanthys developer says they believe German law enforcement is behind the disruption, as web panels hosted in EU data centers had German IP addresses logging in before the cybercriminals lost access.
G0njxa told BleepingComputer that the Tor onion sites for the malware operation are also offline but do not currently have a police seizure banner, so it is unclear who exactly is behind the disruption.
Multiple researchers who have spoken to BleepingComputer believe this disruption could be related to an upcoming announcement from Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.
Operation Endgame has been behind numerous disruptions since it launched, including against ransomware infrastructure, and the AVCheck site, SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC malware operations.
The Operation Endgame website currently has a timer stating that new action will be disclosed on Thursday.
BleepingComputer contacted the German police, Europol, and the FBI, but has not received a reply at this time.
