Honda has posted an online warning and sent an email to 2.2 million customers informing them that a database containing their e-mail addresses, VINs and login information had been stolen. In addition 2.7 million Acura customers had their emails only stolen.
The storage of the email databases was contracted by Honda and its luxury brand Acura to a third party. The party was responsible for sending “welcome” emails to new purchasers who had opted to open a OwnerLink or MyAcura accounts.
Several sites (ZDNet and All Things Digital) suggested that the email contractor might be Silverpop Systems, Inc. of Atlanta, Georgia who recently was hacked and had email databases of McDonald’s and Walgreens customers stolen. However, these sites were unable to definitively link Silverpop with Honda/Acura.
We, however, found a press release from September 2009 on Silverpop’s site which confirmed Honda as a “premium partner”. The press release describes an award given by Honda to the company, writing:
American Honda Motor Co., Inc. President and CEO Tetsuo Iwamura today presented the company’s Premier Partner Award to Silverpop CEO Bill Nussey. The company was recognized for excellence in supporting Honda’s email marketing efforts. Silverpop was one of 15 award recipients selected from 46 suppliers nominated by American Honda associates nationwide.
Silverpop® is the world’s only provider of both email marketing and marketing automation solutions specifically tailored to the unique needs of B2C and B2B marketers.
“This recognition is a huge honor for us,” Nussey said. “Honda, like most of our clients, has a very sophisticated online marketing program, and relies on the innovation and expertise that Silverpop delivers to fully engage with customers. They set their expectations of vendor partners high, and we’re proud to have exceeded them.”
So that seems like pretty definitive proof to us. It appears that yet another victim of the Silverpop breach has emerged. And unlike McDonald’s and Walgreens, Honda appears actually to have lost actual user passwords. It is unknown what kind of encryption scheme Silverpop was using, or whether it salted its passwords. However, if you bought a Honda and created an account in the recent past, you probably want to change the passwords on any accounts using the same password as your Honda account.
And as we stated with the previous leaks, beware spam and phishing schemes. The hackers likely had a motive when stealing this information, and that motive may simply have been to amass a large roll of emails to attack via message fraud.
*Update 1/2/2011 - Honda has removed the message from their website, however registered Honda/Acura owners have confirmed that an email warning was sent out to owners notifying them of the security warning.