I probably use my iPhone’s real, actual phone feature a lot more than the average person, being a journalist and all. I talk on the phone with people every day, and when an unfamiliar number flashes up on my phone screen, I usually pick up, assuming it has something to do with work.
Everyone outside of my industry I speak with seems to avoid talking on the phone altogether. I can understand why. Half the phone calls I get are just straight-up spam, with either an automated voice or someone trying to sell me something on the other end. If I didn’t have to use my phone for a living, I’d definitely just ignore any number that wasn’t saved in my contacts.
If you own an Alfa Romeo, Chrysler, Dodge, Jeep, Maserati, or Ram, you should probably do the same. Stellantis on Sunday announced that a third-party service provider that supports the company experienced a data breach, with hackers gaining unauthorized access to customer data, specifically contact information. According to a new report from BleepingComputer, up to 18 million records could have been stolen.
Stellantis’s brief statement from Sunday doesn’t really say much, other than letting the public know something happened and that it responded:
We recently detected unauthorized access to a third-party service provider’s platform that supports our North American customer service operations.
Upon discovery, we immediately activated our incident response protocols, initiated a comprehensive investigation, and took prompt action to contain and mitigate the situation. We are also notifying the appropriate authorities and directly informing affected customers.
The company goes on to say that only “contact information” was involved in the data breach, but doesn’t specify what sort of contact info or how many pieces of data were taken. These data points could be anything from names to phone numbers to email addresses. Importantly, Stellantis says no financial or “sensitive” personal information was accessed.
Then there’s this report from BleepingComputer, which claims to have actually talked to the hacker group behind the breach. From the piece:
Although Stellantis didn’t share more information regarding this attack, BleepingComputer has learned that it is part of a recent wave of Salesforce data breaches linked with the ShinyHunters extortion group, which has affected numerous high-profile companies.
Earlier today, ShinyHunters claimed responsibility for the Stellantis data breach and told BleepingComputer that they had stolen over 18 million Salesforce records, including names and contact details, from the company’s Salesforce instance.
A Stellantis spokesperson declined to comment when I reached out about the above claims.
The BleepingComputer report goes on to say that this string of data breaches, which has also affected brands like Google, Cisco, Farmers Insurance, and Workday, has been done through voice phishing attacks. Anyone who’s taken one of those silly corporate training courses has probably heard of this before. These attacks, sometimes known as “vishing,” use good old-fashioned audio calls to trick people into giving up information. Here’s how Bank of America describes it:
It usually comes as a phone call that sounds urgent or alarming. An unsolicited caller tells you your bank account has been compromised and that they need your PIN so they can verify your identity or unlock the account. Or they say they’re from a government agency, such as the IRS or the Social Security Administration. Sometimes they insist you owe money. Or they might announce you’re a lucky winner — but you’ll need to pay for shipping and handling to claim your prize.
[…]
One of the reasons these deceptions can be so convincing is that criminals can use personal information they’ve harvested from other sources to make a vishing attempt sound like an honest exchange. They also spoof phone numbers that belong to established organizations, which makes them appear legitimate on your caller ID. And they may lower your defenses with excellent imitations of call center professionals.
Pretty scary stuff. Stellantis is acutely aware of how someone’s contact info can be weaponized against them, so it’s told owners to be extra cautious:
We encourage customers to remain vigilant against potential phishing attempts and avoid clicking on suspicious links or sharing personal information in response to unexpected emails, texts, or calls. Customers with questions or who wish to verify communications, should contact Stellantis directly through official channels.
My recommendation? If someone calls you claiming to be a Chrysler Capital employee looking for this month’s loan payment, just hang up and call the place yourself to double-check things. That might sound rude, but better to be safe than sorry.
Top graphic images: Dodge; DepositPhotos.com
Support our mission of championing car culture by becoming an Official Autopian Member.
Answering the phone?
Gross.
I guess I’m doubly protected, then.
I do not own a Stellantis product.
I do not own a mobile phone.
I just blissfully drive my little GMC 5-speed while listening to my iPod over the Kenwood head unit.
Good times.
Ha! I still get emails from an Acura dealership in Texas who has my email address from when my now ex-wife bought an MDX that she traded in two years ago. She traded me in three years ago. Lol.
I filed an FTC complaint against a dealer in NJ because they would never remove me from their “newsletter” after repeated attempts. I inquired about one car and I don’t think they even responded to me.
So did they get LL Cool J’s contact info?
The Caller ID spoof thing is pretty annoying. So far I’ve managed to not get defrauded, but it does require paying attention. Usually telling them you’ll just call back to the number on the back of your card will make them go away. The last spam caller didn’t seem to want to go away, so I just put them in front of one of the speakers in my office which happened to be playing “What’s Become Of The Baby” from the the 1968 mix of Aoxomoxoa. Hopefully they were at least a little weirded out if not remorseful by the time they hung up.
The fact that Caller ID spoof continues is ludicrous. The phone companies choose not to fix this. They know who is initiating the call on entry to their system for billing reasons.
Capital One credit card security used to call me and ask me to call a number other than the number on the back of the card. I told them how insecure this was and also wrote to them. No change. I ended up bailing on that card in part because of that.
Because of breakins, I get free credit monitoring from a couple of the big three. At least one of them uses email where the link goes through some crazy domain instead of to their well-known website. Anyone who clicks on those links should have sit through a brief tutorial on why you should not click on links in email.
Yeah, I know. I got a “possible fraud alert” email from my credit union, but it wasn’t from their email/website but “fraud.coop.org”, which turns out to be legit, but no way was I going to click on any links in that email. Called and got it all sorted out, but it was a little more trying than it needed to be.
Sure seems like phone companies could do better on fraudulent use like the Caller ID spoofing.
My office (local government utility) offers an option to make certain payments online. The site the City set up to take those payments is janky as hell and no way would I enter my own info if I hadn’t been the driving force behind it. Yet people use it every day to the tune of $7M/year.
The VISA card network has a similar “security” process where they (as near as I can tell) arbitrarily freeze your card after you make an “unusual” purchase — typically from a merchant that’s not one you frequently use. They call you and direct you to call them back at an unfamiliar number, not related to your card issuer. Your card is locked so you’re forced to call them — and then they ask you for personal information to confirm it’s you before confirming the purchase. Unfortunately, the whole process is scammy and runs contrary to good security practice.
When they pulled their stunt on me, the call center rep on the other end got snippy because I wasn’t terribly cooperative and questioned their motive at every turn. I went on to explain that as someone with a background in IT and data security, their whole system was ripe for exploits and bad security practice all around. It became a very uncomfortable call — for them.
After which I complained to my card issuer about the whole thing.
Most recently, my credit union, which uses VISA’s network for their debit cards started getting complaints from customers getting hit with VISA’s security theatre. They’ve started just cancelling and issuing new debit cards to customers whenever the system hits rather then telling them they have to call VISA because they’re done with the whole thing too.
Master Card does this same nonsense, too. They decided to just freeze my entire card when my wife and I were in Europe on vacation despite me telling my bank I was going to Europe on vacation and to not freeze my card under any circumstances, and it finally took a three-way call involving me and a bank rep basically pleading with Master Card to unfreeze it.
There aren’t any repercussions for them inconveniencing you. This is too common in business these days.
If I ever have something that seems even remotely legitimate, I tell them I will call back, hang up and call my bank/card provider/whoever it is that says they are calling. That way, they also know something is going around. Not like they will do anything but at least they know.
This is some oatmeal strength worry. I get dozens of spam every day calls, texts, and emails. So what is one more?
My issue is used to be able to weed out 99% of the spam due to typos, improper English and spelling etc. But now with companies outsourcing customer service even the correct contact is English Illiterate. Using 3rd party out of country companies makes it harder to tell spam contacts.
“If you own an Alfa Romeo, Chrysler, Dodge, Jeep, Maserati, or Ram“
SRT owners proven to have good judgment once again.
But what if it’s the Rapture calling?
They will leave a voice mail…
Word.
As if it wasn’t bad enough that you made the poor life choice of getting a 7-passenger penalty box (The Dodge Journey), but that you also bought a Stellantis product. And now you’re getting scammed! Ouch.
The Journey was not a Stellantis product. It was discontinued in 2020, the Steplantis merger happened in 2021.
Also did it have 7 seater options?
Being the cheapest seven-seater on the market was the Journey’s raison d’être by the end, once you couldn’t even get the Pentastar/six-speed auto or AWD. The third row wasn’t always standard, but I assume most Journeys have it.
Oh, they’re not scammers – what you do is, see, you give them all of your credit card numbers, and if one of them is lucky, they’ll mail you a prize
Why does an automaker need my contact information? Just asking.
With Chrysler, its to inform you of the 20 or so recalls you’ll have during the ownership experience.
As opposed to the Ford Recall 20 minutes after the check cleared?
I love my Maverick. Just took it in to have another recall fixed on Monday, so you’re not wrong.
They need it to provide you personalized services (mostly postcards telling you that they need you to bring it in for a recall or reminding you that you could buy a new one) and sell your information.
The latter is probably the big one. They aren’t mad at the hackers for getting your info. They just wanted to charge them for it.
So, they don’t. OK!
I do think the recall notifications are important. Especially for Stellantis. But, yeah, it should be the minimum information needed to accomplish the task at hand, so I think it should just be a mailing address. No phone number, no demographic data, no attached history beyond the address and relevant vehicle. I don’t even think it needs to have your name attached. They can mail the recall notice to “owner of a [year, make, model].” How they get informed about moves and changes of ownership, I’m not sure, but I think that’s solvable with a lot less info than they keep currently.
They have data feeds into the state registration databases to update ownership status. This is a requirement so that they can properly notify owners in case of a recall.
I’m mostly unsure if it’s something they could use to connect a VIN to an address without collecting any further info or if they’ll always end up with the name of the registered owner. It seems like that should be possible to do without the name, though. Send recall notices to registered address, never note the owner’s name. Suddenly, the information you have is just a list of addresses without identifying information.
I absolutely agree with you, but we seem to have decided allowing corporations to stockpile as much data about us as possible, and if there aren’t legal protections stopping them, they absolutely will.
It gets worse though, even with just address it’s fairly trivial to use public information to tie that address to a human or humans, associated with it.
Sure, it’s trivial to tie an address to a person, but we don’t need to provide the hackers everything on a silver platter. At least make them guess or figure out which person’s name should be attached to the vehicle and don’t give them a whole bunch of other identifying info.
But I know it’s a pipe dream. We love to let companies do whatever they want with our data in this country, all while convincing people it’s China getting our data that’s the real problem.
Google says hello
I mean, for a “do not drive”-level recall, I’d be happy to receive a phone call
Bonus points for putting unique fake names on such things and keeping those records so you know whose been selling your info.
This.
Every entity to which you give your contact info sells it to data brokers so that they can more effectively advertise at you.
Just getting prepared for the next class action lawsuit, probably.
If I want to talk to someone, I will call them. But I don’t.
Leave me a message and I’ll call you back. They generally don’t though. Maybe they don’t like me that much?
Joe Walsh does.
+1. Hadn’t even on that ref!
“Maybe” he’ll call.