The Volkswagen Group of America (2021) Data breach

@author Ruslan Rustchev

The Stolen Data

On June 11, 2021, the Audi of America vendor company (the U.S. subsidiary of German car company Audi, which is owned by Volkswagen Group) wrote to their customers, informing them about a significant data breach. They disclosed that on March 10, 2021 the company detected that an unauthorized third party had access and was able to obtain company data from an unsecured cloud storage. The stolen data was reported to include customer personal information such as : “first and last name, personal or business mailing address, email address, or phone number,[…], information about vehicle purchased, leased, or inquired about, such as the Vehicle Identification Number (VIN), make, model, year, color, and trim packages […], driver’s license numbers, […], dates of birth, SocialSecurity or social insurance numbers, account or loan numbers, and tax identification numbers”1.

Following the disclosure of the breach, several days later, on June 14, data allegedly originating from the breach appeared on the RaidForums Cybercriminal marketplace, which specializes in selling leaked and stolen data to facilitate fraud, cyber intrusions and other criminal activity. The user that posted about the leak, who goes by username “000” said he worked with another hacker who goes by “General Badhou3a” to obtain the data in March that year.2


Screenshot from RaidForums, taken June, 2021 showing the post by user about 000 advertising the Sale of the stolen audiusa.com database.

While in 2025 the original post is no longer online, as RaidForums domain was seized by Europol in a disruption campaign dubbed “TOURNIQUET”3, I was easily able to find and obtain a copy of the originally leaked database in 2025 on another criminal marketplace:


Screenshot from BreachForums, taken Jan 12, 2025 showing the post by user about AddKa72424 advertising the Sale of the stolen audiusa.com database.

How the attack was perpetrated

The attacker allegedly was able to obtain the data through an unsecured Microsoft’s Azure Cloud Storage Service - Azure Blob Container. (Blob stands for Binary Large Object). This service offering is very similar to AWS’s simple Storage Service (S3) offering in that any file can be stored within this service whether it is a text file or a binary file4. While not enabled by default, anonymous read access to Azure Cloud storage can be configured to allow for unauthenticated access to the stored data.5 This type of security misconfiguration allows for an attacker to easily enumerate and discover storage objects - tracked as technique: T1619 - Cloud Storage Object Discovery by the MITRE ATT\&CK® framework that tracks hackers tactics, techniques and procedures.

In the case of Azure Blobs, the URL to access storage blobs is formatted as:

http://<storage-account>.blob.core.windows.net/<container-name>/<blob>

  • <storage-account> - The Azure Storage Account Name
  • <container-name> - The name of the container holding the information
  • <blob> - the file name of the blob containing information


Image: Azure Documentation - the relationship between storage account, containers, and blobs – link.

The “storage-account” name can be guessed and will often just be based on the name of the organization - e.g. for company name Contoso Corporation - account could be e.g. http://contoso .blob.core.windows.net or various other deviations such as http://contosocorp.blob.core.windows.net. An attacker can easily generate a list of possible names and validate them through a simple DNS request.

A similar “dictionary” based approach can be used to guess the “container-name” - to test if a container exists and we have permission to access it, we can use the following request - e.g. to test for the container “logs” which is created by default on storage accounts we need to send the following GET request and receive one of the possible replies:

https://contoso.blob.core.windows.net/$logs?restype=container\&comp=list


“ResourceNotFound” message when the anonymous access is enabled, but resource is not found


“PublicAccessNotPermitted” message when the anonymous access is disabled

The “blobs” (files) that have anonymous list access can then be easily derived using the List Blobs GET rest API request: [List Blobs (REST API) - Azure Storage Microsoft Learn](https://learn.microsoft.com/en-us/rest/api/storageservices/list-blobs?tabs=microsoft-entra-id) to get a list of files that can be accessed.

All these methods can be performed either - manually, using community developed automated scripts or by leveraging fully fledged Attack frameworks that target Cloud Resources to gain access to data from cloud storage without having access to valid credentials for the cloud tenant (T1530: Data from Cloud Storage)

Defenders are recommended to hunt for exposed Blobs using this methodology and follow Microsoft’s recommendations for securing Azure Storage:
https://learn.microsoft.com/en-us/azure/storage/blobs/security-recommendations

Aftermath of the breach

While at the time of the breach, the breached organization didn’t fall under a specific regulation that protects the privacy of personal identifiable information (PII) of consumers, such as the European General Data Protection Regulation (GDPR) or the U.S. California Consumer Privacy Act (CCPA), the company was forced to pay damages to affected consumers after a class action suit launched by affected consumers was settled by Volkswagen group for $3.5 million6, which is a far cry from the damages, the company would be liable under the other two mentioned regulations.

  1. Audi Volkswagen Letter of notice of Breach June 11, 2021, Hosted on Document Cloud: https://www.documentcloud.org/documents/20806130-audi-volkswagen-letter/ 

  2. Hackers Are Selling Data Stolen From Audi and Volkswagen, The Motherboard, Vice Media, https://www.vice.com/en/article/hackers-are-selling-data-stolen-from-audi-and-volkswagen 

  3. Europol Press Release: Operation TOURNIQUET, 21 June 2022 

  4. Microsoft Azure Documentation: Azure Storage: https://learn.microsoft.com/en-us/azure/storage/common/storage-introduction#blob-storage 

  5. Microsoft Azure Documentation: Azure Storage - configure anonymous read access: https://learn.microsoft.com/en-us/azure/storage/blobs/anonymous-read-access-configure?tabs=portal#set-the-public-access-level-for-a-container12, 2024 

  6. Volkswagen/Audi Data Incident Litigation SETTLEMENT AND RELEASE AGREEMENT; In re Service et al. v. Volkswagen Group of America, Inc., et al., Case No. MSC22-01841, https://audidatasettlement.com/Content/Documents/Settlement%20Agreement.pdf