U-Haul tells 67K customers that cyber-crooks drove away with their personal info

2024-02-23 20:06

U-Haul is alerting tens of thousands of folks that miscreants used stolen credentials to break into one of its systems and access customer records that contained some personal data.

A U-Haul spokesperson told The Register that about 67,000 customers in the United States and Canada were affected, but declined to answer other questions about the security snafu.

After investigating the break-in with the help of an outside cybersecurity firm, the moving and truck rental giant determined crooks accessed its U-Haul Dealer and Team Members system used to track reservations and view customer records.

Specifically, this included changing passwords on compromised accounts and offering affected customers a free, one-year membership with Experian IdentityWorks Credit 3B. While the U-Haul spokesperson declined to comment on how the criminals obtained the compromised credentials - eg, from an earlier data dump, or a social-engineering campaign - the incident illustrates how these types of identity-related attacks have skyrocketed over the past year.

In addition to using stolen credentials, the outfit's threat intel team spotted attackers targeting API keys and secrets, session cookies and tokens, one-time passwords, and Kerberos tickets.

"Threat actors have really focused on identity - taking a legitimate identity, logging in as a legitimate user, and then laying low, staying under the radar by living off the land and using legitimate tools," Adam Meyers, head of counter adversary operations at CrowdStrike, told The Register in an earlier interview.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/02/23/uhaul_data_breach/

#uhaul