Significant vulnerabilities uncovered in Volkswagen’s connected car app that exposed sensitive personal information and complete service histories of vehicles worldwide. 

The flaws disclosed allowed unauthorized access to user data through simple exploits requiring only a vehicle’s VIN number, which is visible through most car windshields.

This breach marks the second major cybersecurity incident for Volkswagen in six months, following a December 2024 cloud storage leak that compromised data from 800,000 electric vehicles.

Major Security Flaws Discovered

Cybersecurity researcher Vishal Bhaskar identified the vulnerabilities after purchasing a pre-owned Volkswagen in 2024. 

When attempting to connect his vehicle to the My Volkswagen app, he encountered an obstacle: the one-time password (OTP) was sent to the previous owner’s phone.

Rather than accepting defeat, Bhaskar noticed the app didn’t implement lockout mechanisms after multiple failed attempts. Using Burp Suite to analyze network traffic, he developed a Python script to brute-force the 4-digit OTP:

The script successfully cracked the code, but this was just the beginning.

Multiple API Vulnerabilities Exposed

Bhaskar identified three critical security flaws in Volkswagen’s systems:

Internal Credentials Leaked: An API endpoint exposed internal usernames, passwords, tokens, and even credentials for third-party services like payment processors and Salesforce in plaintext.

Personal Details Exposed via VIN: Another endpoint revealed customer profiles including names, phone numbers, email addresses, postal addresses, and registration details tied to service records – all accessible using only a vehicle’s VIN.

Complete Service History Accessible: A third vulnerability exposed full service histories, customer complaints, and even customer satisfaction survey results for any vehicle by simply entering its VIN.

The vulnerabilities allowed potential attackers to:

Access vehicle locations, engine health, fuel stats, and tire pressure data.

Obtain owner personal information including home addresses and driving license details.

View complete service histories and customer complaints.

Potentially control vehicle features remotely.

“Imagine stalkers or criminals armed with this data,” noted Denis Laskov, Chief Hacker at EY IL, who shared Bhaskar’s findings. 

“They could easily determine your real-time location, home address, frequently visited places, phone number, and email address”.

Bhaskar reported the vulnerabilities to Volkswagen on November 23, 2024. After several months of communication, Volkswagen confirmed on May 6, 2025, that all vulnerabilities had been patched.

As vehicles become increasingly connected to the internet, security researchers warn that manufacturers must prioritize cybersecurity to prevent unauthorized access to the growing amount of personal data collected by modern cars.

Vulnerability Attack Simulation on How Hackers Rapidly Probe Websites for Entry Points – Free Webinar