Peugeot, a French automobile brand owned by Stellantis, exposed its user data in Peru, a South American country with a population of almost 34 million. Despite not being a significant market for the car manufacturer, the incident highlights how large and well-known brands often fail to secure sensitive data.
The Cybernews research team discovered an exposed environment file on the official Peugeot store for Peru on February 3rd. The file contained a full MySQL database Uniform Resource Identifier (URI), JSON Web Token’s passphrase and locations of private and public keys, a link to the git repository for the site, and a Symfony application secret.
The combination of the leaked information could compromise the dataset and the website. MySQL was used to store user information, and the company leaked the credentials needed to access the dataset.
Attackers could use this data to log in, exfiltrate, or modify the dataset’s contents. The passphrase for JWT was easily guessable, and the private certificate was also stored on the same server. The leaked Symphony application secret could have been used to decrypt previously encrypted data such as user cookies and session IDs, allowing the threat actor to impersonate a victim and access applications illegitimately.
The link to the git repository could be used in social engineering attacks against the platform developers to gain access to the repository and steal the site’s source code. Cybernews researchers noted that the way the environment file was configured showed a lack of expertise and understanding of how to develop applications securely.
As car owners or future car owners are more likely to have more savings, user information from a breach like this is valuable to malicious actors.
This latest data leak emphasizes the need for companies, especially those handling sensitive data, to take the necessary steps to secure their systems to prevent data breaches.
