Honda Motors Company Customer Info Exposed

Monday, December 27, 2010

Rafal Los

0a8cae998f9c51e3b3c0ccbaddf521aa

Alright, so Honda's web sites didn't actually get hacked, but like McDonalds they are on the receiving end of a lump of coal in their stocking for Christmas.

A post on Honda's "Piloteers.org" website for Honda Pilot owners hints at a data breach at a vendor maintaining a mailing list for customer of My Acura and Honda's Owner Link websites.  

From the forums post, it would appear as though SilverPop, the same company that was behind the breach of email addresses and information, also included Honda  [likely this is fallout from the SilverPop hack].  Here's some of the relevant text:

"Dear Customer, American Honda Motor Co., Inc. recently became aware of unauthorized access to an email list used by a vendor to create a welcome email to customers who have an Owner Link or My Acura vehicle account. The data that was obtained included your email address, your name, Vehicle Identification Number (VIN) and User ID. Your password was not included and no other sensitive information was contained in that list."

What caught my attention is that this breach included the VIN (Vehicle Identification Number) as well as some moderately personal information... the site that the content of the letter references (http://www.honda.com/info/b/), does include an interesting sliver on passwords though...

The Honda FAQ site tells the users not to worry but does seem to hint subtly that you should change your password if you have a login on one of these sites... oddly even though the original letter the user posted appears to stress that the password was not stolen, only the user ID.  

What's worse here, and working against the users is that everything appears to be behind a SSO (Single Sign-On) framework which may make a compromise of a single password to a forums page also usable to access the MyAccount page which may include things like all of your customer information, private account information, and other things you probably don't want other people to have.

Interestingly enough, buried deep within this FAQ on Honda's site is a strange password change feature:

  • Go to ahm-ownerlink.com or owners.acura.com
  • Click on Log In
  • Click on Forgot Password and follow the step by step instructions to create a new password

That sure is an interesting way to change a password... wouldn't you say?  Think that's a design decision, or an architectural limitation of a bolt-on security feature?

At any rate - if you have logins on any of Honda's sites, I recommend changing your password at least...

Cross-posted from Following the White Rabbit

Possibly Related Articles:
15654
Breaches
Passwords breaches Data Leakage Single Sign On Honda
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.