Cybercriminals hacked into the database of American Honda Motor Co., Inc. stealing the names, e-mail addresses and Vehicle Identification Numbers (VIN) of 2.2 million car owners.
The affected automobile owners received an e-mail from Honda last week notifying them of the breach, reported the Columbus Dispatch. It is not known when the database hack occurred.
The e-mail message explained that customers’ identifications were compromised by thieves who gained unauthorized access to an e-mail list initially set up to create a welcome e-mail for new Honda and Acura owners. The welcome e-mail list contained customers’ names and e-mails, as well as online login names and their 17-character VINs.
The hacked Honda list contained no financial information, Social Security numbers or phone numbers, according to Honda.
A separate list of 2.7 million Acura owners' e-mail addresses was also accessed, but that list contained no other personal information.
"Based solely on the information that was accessed, it would be difficult for your identity to be stolen," Honda wrote on its website.
But the fact that a cybercriminal has access to a car owner’s VIN is particularly troublesome to Graham Cluley, senior technology consultant for the security firm Sophos.
On Sophos' website, Cluley wrote, "The obvious danger is that cybercriminals might use the list to send out e-mails to Honda customers, designed to trick them into clicking on malicious attachments or links, or fool them into handing over personal information. After all, if the hackers were able to present themselves as Honda, and reassured you that they were genuine by quoting your Vehicle Identification Number, then as a Honda customer you might be very likely to click on a link or open an attachment.”
Honda is instructing those impacted by the security breach to change their account passwords, and to be cautious of unsolicited emails requesting personal information.
Honda said it does not send e-mails to requesting Social Security numbers or credit card numbers, and if customers receive such a message, they should not divulge that information.