In a recent cybersecurity revelation, significant vulnerabilities have been discovered within Volkswagen’s connected car application, exposing sensitive personal information and comprehensive service histories of vehicles globally. These flaws allowed unauthorized access to user data through simple exploits requiring only a vehicle’s Vehicle Identification Number (VIN), which is typically visible through most car windshields.
This incident marks the second major cybersecurity breach for Volkswagen within six months, following a December 2024 cloud storage leak that compromised data from 800,000 electric vehicles.
Discovery of Major Security Flaws
Cybersecurity researcher Vishal Bhaskar identified these vulnerabilities after purchasing a pre-owned Volkswagen in 2024. While attempting to connect his vehicle to the My Volkswagen app, he encountered an obstacle: the one-time password (OTP) was sent to the previous owner’s phone.
Rather than accepting defeat, Bhaskar noticed the app didn’t implement lockout mechanisms after multiple failed attempts. Using Burp Suite to analyze network traffic, he developed a Python script to brute-force the 4-digit OTP.
The script successfully cracked the code, but this was just the beginning.
Multiple API Vulnerabilities Exposed
Bhaskar identified three critical security flaws in Volkswagen’s systems:
1. Internal Credentials Leaked: An API endpoint exposed internal usernames, passwords, tokens, and even credentials for third-party services like payment processors and Salesforce in plaintext.
2. Personal Details Exposed via VIN: Another endpoint revealed customer profiles, including names, phone numbers, email addresses, postal addresses, and registration details tied to service records—all accessible using only a vehicle’s VIN.
3. Complete Service History Accessible: A third vulnerability exposed full service histories, customer complaints, and even customer satisfaction survey results for any vehicle by simply entering its VIN.
These vulnerabilities allowed potential attackers to:
– Access vehicle locations, engine health, fuel statistics, and tire pressure data.
– Obtain owner personal information, including home addresses and driving license details.
– View complete service histories and customer complaints.
– Potentially control vehicle features remotely.
Imagine stalkers or criminals armed with this data, noted Denis Laskov, Chief Hacker at EY IL, who shared Bhaskar’s findings. They could easily determine your real-time location, home address, frequently visited places, phone number, and email address.
Volkswagen’s Response and Industry Implications
Bhaskar reported the vulnerabilities to Volkswagen on November 23, 2024. After several months of communication, Volkswagen confirmed on May 6, 2025, that all vulnerabilities had been patched.
As vehicles become increasingly connected to the internet, security researchers warn that manufacturers must prioritize cybersecurity to prevent unauthorized access to the growing amount of personal data collected by modern cars.
