Honda hack: Millions of customers’ email addresses stolen

Graham Cluley
Graham Cluley
@[email protected]

HondaAmerican Honda says it has contacted millions of its customers after hackers stole a database containing names, email addresses, and VINs (the Vehicle Identification Number, or unique 17 character ID for your motor vehicle).

The obvious danger is that cybercriminals might use the list to send out emails to Honda customers, designed to trick them into clicking on malicious attachments or links, or fool them into handing over personal information. After all, if the hackers were able to present themselves as Honda, and reassured you that they were genuine by quoting your Vehicle Identification Number, then as a Honda customer you might be very likely to click on a link or open an attachment.

For that reason, Honda has contacted all of the 2.2 million customers it believes may have been affected by the security breach.

AcuraAccording to a report by the Columbus Dispatch, the data was stolen from a third-party company who sent out “Welcome” emails to customers who created accounts with the firm.

Sign up to our free newsletter.
Security news, advice, and tips.

A further 2.7 million customers of Honda’s luxury Acura car brand were also exposed by hackers from a separate list, although in that case only email addresses are said to have been stolen by hackers.

Nevertheless, the email addresses could be used for sending out spam campaigns and customers are unlikely to view the data breach sympathetically if they find themselves the target of unwanted email marketing campaigns from spammers and phishers.

Honda has published further information and an FAQ for affected customers on its website.

There’s an important lesson that more companies can learn from cases like this. You don’t just need to ensure that you are taking enough care about the security and protection of the private customer data you store – you also need your partners and third-party vendors to follow equally stringent best practices.

It may not be your company who is directly hacked, but it can still be your customers’ data that ends up exposed, and your brand name that is tarnished.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.