Volkswagen is facing another major cybersecurity issue after serious flaws were discovered in its connected car app. These vulnerabilities exposed personal information and detailed service records of vehicle owners around the world.
The issues allowed unauthorized access to sensitive data using only the Vehicle Identification Number (VIN), a code visible through most car windshields. No advanced hacking tools were needed to exploit the flaws.
This marks Volkswagen’s second major data breach in six months. In December 2024, a cloud storage leak compromised data from 800,000 electric vehicles.
Researcher Uncovers Critical Flaws
The new vulnerabilities were discovered by cybersecurity researcher Vishal Bhaskar after he bought a used Volkswagen in 2024. When trying to connect his car to the “My Volkswagen” app, he noticed the one-time password (OTP) was sent to the previous owner’s phone.
Bhaskar also saw that the app did not block users after several failed OTP attempts. Using a tool called Burp Suite, he created a Python script to brute-force the 4-digit code. The script worked, allowing him access to the system.
Three Major Security Issues Found
- Leaked Internal Credentials: One API exposed usernames, passwords, and tokens used inside Volkswagen. It also revealed access details for services like payment processors and Salesforce.
- Personal Data Exposed via VIN: Another API allowed access to customer names, phone numbers, email addresses, home addresses, and registration info—just by entering a vehicle’s VIN.
- Full Service Records Accessible: A third flaw gave access to full service histories, customer complaints, and even satisfaction survey results, again using only the VIN.
Potential Risks
These issues could have let attackers:
- Track vehicle locations and engine data
- Access home addresses and driving license information
- View complete service and complaint histories
- Possibly control some car functions remotely
“Imagine stalkers or criminals armed with this data,” said Denis Laskov, Chief Hacker at EY IL, who worked with Bhaskar. “They could find your real-time location, home address, phone number, and more.”
Volkswagen Responds
Bhaskar reported the vulnerabilities to Volkswagen on November 23, 2024. After months of discussions, the company confirmed on May 6, 2025, that all security issues had been fixed.
Call for Better Cybersecurity
Experts say this incident shows how important cybersecurity is for connected vehicles. As cars gather more personal data, manufacturers must take stronger steps to protect users from cyber threats.
