Volkswagen has had another big problem with cybersecurity, as flaws in its connected car app exposed personal data and full-service histories of vehicles worldwide. The vulnerabilities, found by a cybersecurity expert, allowed access to user data with just a vehicle’s VIN, information visible through most car windshields.
This is Volkswagen’s second big data security issue in six months. In December 2024, a separate cloud storage leak exposed data from around 800,000 electric vehicles. As cars get more and more connected to the internet, this latest issue shows how important cybersecurity is in the automotive industry.
Simple flaws lead to big data exposure
The vulnerabilities were first found by cybersecurity researcher Vishal Bhaskar in 2024 when he bought a used Volkswagen. When he tried to link his car to the My Volkswagen app, Bhaskar found that the one-time password (OTP) used to verify accounts was sent to the previous owner’s phone number. Further investigation showed that the vulnerabilities were not limited to OTP issues. The app’s back-end systems also lacked strong protections, allowing anyone with basic technical skills to access a range of sensitive data.
Instead of giving up, Bhaskar looked into the app’s design. He noticed it didn’t have a lockout system to stop repeated OTP attempts. Using a tool called Burp Suite, he was able to create a simple Python script that could guess the OTP until it unlocked the account.
Multiple vulnerabilities in Volkswagen’s systems
Bhaskar’s investigation found three critical flaws in Volkswagen’s digital infrastructure:
- Leaked internal credentials: One API endpoint revealed various tokens and credentials for third-party services. This information, in plain text, could give attackers access to other sensitive systems.
- Personal information via VIN: Another API flaw allowed anyone to retrieve customer profiles by just entering a vehicle’s VIN. This included names, phone numbers, email addresses, home addresses, and detailed vehicle registration information.
- Service histories exposed: A third issue exposed full-service histories of vehicles, including customer complaints, warranty claims, and satisfaction survey results. All of this could be accessed by just the VIN, putting current and previous owners at risk.
With these flaws, an attacker could get personal information and real-time vehicle data like location, engine performance, and even fuel levels. Experts say this data could be used to track drivers, learn their daily routines, and even identify their home addresses.
Volkswagen patches the vulnerabilities
Bhaskar reported the flaws to Volkswagen on November 23, 2024. After talking to the company for a while, they confirmed on May 6, 2025, that all the flaws were fixed. But the discovery raises serious questions about the security of connected cars and the amount of personal data they hold.
As cars become more connected and smart, security experts tell manufacturers like Volkswagen to prioritize digital safety. Bhaskar’s research shows we need more rigorous security testing and better encryption to protect drivers and their data.
With consumers relying increasingly on connected car services, it’s clear the automotive industry must take data security as seriously as it does vehicle safety. Without strong protections in place, breaches like this could become more common and put millions of drivers and their data at risk.
