Last week, Volkswagen AG’s US unit disclosed a data breach at a vendor that impacted more than 3.3 million customers in North America.

VWGoA states that the breach involved 3.3 million customers, with over 97% of those affected relating to Audi customers and interested buyers.

“The data included some or all of the following contact information about you: first and last name, personal or business mailing address, email address, or phone number. In some instances, the data also included information about a vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages,” explains the VWGoA data breach notification first reported by TechCrunch.

“The data also included more sensitive information relating to eligibility for purchase, loan, or lease. More than 95% of the sensitive data included was driver’s license numbers. There were also a very small number of dates of birth, Social Security or social insurance numbers, account or loan numbers, and tax identification numbers.”

Stolen Data Sold On A Hacking Forum

On June 14th, a known seller of data stolen during data breaches put the Audi and Volkswagen data up for sale on a popular hacking forum.

Buy Me a Coffee

According to a post on the forum, the sold data consists of over 5 million records, with 3,862,231 records being leads and 1,792,278 records in the sales database.

While the leads database contains contact information and phone numbers for prospective buys, the seller states that the sales database contained a great deal more information, including VINs, business numbers, information about the driver, and vehicle information.

READ
‘Disable Admin Notices Individually’ Plugin Exposes 100,000+ Sites to Risk

According to Vice, who first reported on the sale of this data, the hacker said they accessed the exposed data in March after finding it in an unsecured Azure Blob container.

The hackers are asking between $4,000 and $5,000 for all of the records and said the database does not contain any customers’ social security numbers.