Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Peugeot leaks access to user information in South America

Peugeot, a French brand of automobiles owned by Stellantis, exposed its users in Peru, a South American country with a population of nearly 34 million. A brand, best known for its lion roaring for over a century, has leaked access to its user data in Peru. And while the country is not that big of […]

Peugeot data leak

Peugeot, a French brand of automobiles owned by Stellantis, exposed its users in Peru, a South American country with a population of nearly 34 million.

A brand, best known for its lion roaring for over a century, has leaked access to its user data in Peru.

And while the country is not that big of a market for the car maker, this discovery is yet another example of how big and well-known brands fail to secure sensitive data.

Peruvian data leak

On February 3rd, the Cybernews research team discovered an exposed environment file (.env) hosted on the official Peugeot store for Peru.

The exposed file contained:

  • Full MySQL database Uniform Resource Identifier (URI) – a unique sequence of characters that identifies a resource – as well as username and password to access it;
  • JSON Web Token’s (JWT) passphrase and locations of private and public keys;
  • A link to the git repository for the site;
  • Symfony application secret.
Peugeot data leak

Combined, the leaked information could be used to compromise the dataset and the website.

Judging from its username, MySQL was used to store user information. The company has also leaked the credentials needed to access the dataset. An attacker could use this data to log in, exfiltrate, or modify the dataset’s contents.

The passphrase for JWT, an industry standard used to share information between two entities, was very weak and easily guessable. The private certificate, used in combination with the passphrase, was also stored on the same server.

The leaked Symphony application secret could have been used to decrypt previously encrypted data such as user cookies and session IDs. If exposed, such information could enable the threat actor to impersonate a victim and access applications illegitimately.

The link to the git repository could be used in social engineering attacks against the platform developers to gain access to the repository, and in turn, steal the source code of the site.

“The way the environment file was configured also shows a lack of expertise and understanding of how to develop applications securely. User information from a breach like this is very valuable to malicious actors, as car owners or future car owners are more likely to have more savings and are therefore a bigger target for malicious actors,” Cybernews researchers said.

If you want to know how big the impact of the data leak is, give a look at the original post at

https://cybernews.com/security/peugeot-user-data-leak-south-america/

About the author: Jurgita Lapienytė, Chief Editor at CyberNews

Please vote for Security Affairs (https://securityaffairs.com/) as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections:

  • The Teacher – Most Educational Blog
  • The Entertainer – Most Entertaining Blog
  • The Tech Whizz – Best Technical Blog
  • Best Social Media Account to Follow (@securityaffairs)

Please nominate Security Affairs as your favorite blog.

Nominate here: https://docs.google.com/forms/d/e/1FAIpQLSfaFMkrMlrLhOBsRPKdv56Y4HgC88Bcji4V7OCxCm_OmyPoLw/viewform

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Peugeot)