The location information for about 800,000 electric Volkswagen vehicles was available online for months due to a data leak. A report from a German news magazine der spiegelThe leak reportedly originated from software running inside Volkswagen vehicles and could have allowed a bad actor to track a driver's exact movements, As noted Electrek,
An informant was the first to inform der spiegel and the European Hacking Association Chaos Computer Club vulnerability, which also affects EVs from Volkswagen-owned car brands globally, including Audi, Seat and Skoda.
der spiegel Cariad, the Volkswagen subsidiary behind the automaker's software, found that it made it possible for an attacker to find and access driver data held in Amazon's cloud storage service. The data, which “can be linked to drivers' names and contact details”, reportedly included drivers' emails, phone numbers and addresses in some cases, as well as details of when the EV was turned on and off .
This included the “exact” locations of approximately 460,000 vehicles. der spiegel says the data was “accurate to within tens of centimeters” for Volkswagen and Seats vehicles, and to within 10 km (~6 miles) for Audi and Skoda models.
Cariad has since addressed the issue, stating der spiegel Customers “do not need to take any action, as no sensitive information such as passwords or payment details is affected.” The Verge Carried and Volkswagen were contacted requesting comment, but did not immediately respond.