Security researchers from Kromtech have discovered a leak of over half a million records of the company SVR Tracking, specializing in tracking the location of cars.

The database was stored on an unprotected cloud server Amazon S3. It contained information on 540,642 customer accounts, including e-mail addresses, password hashes, IMEI GPS trackers, license plates, vehicle identification numbers (VIN), etc.. The database also contained information on the location of the tracking device in vehicles, the researchers noted.. In addition, the researchers identified 339 magazines containing information on vehicles, including images and service records, as well as documents detailing contracts with more than 400 car dealers using SVR Tracking services.

According to information on the SVR Tracking website, the company's devices provide continuous tracking of vehicles - every two minutes while moving and for four hours after stopping. Having the right credentials on hand, the user can get information about all the movements of the car for the last 120 days using the application for PC and mobile devices.

The total number of compromised devices can be much larger, because car sellers and customers can own several GPS trackers. It is also difficult to say how long the data was freely available, say researchers from Kromtech.

According to the researchers, the leak was discovered on September 18, 2017.

SVR Tracking was notified on September 20 and after a few hours access to the server was blocked.

Earlier, security researcher from UpGuard company Chris Vickery discovered about 1 GB of confidential data, configuration files and access keys of Viacom media conglomerate stored on the incorrectly configured Amazon Web Server S3 server.

SVR Tracking is an American company that provides customers with 24-hour tracking of cars and trucks in case the vehicle is towed or stolen.