Cyber Incident Victim: PakWheels
Date:
Dec 2016
Location:
Pakistan
Summary
A major Pakistani automotive platform experienced a server breach compromising over 674,000 user accounts due to exploitation of a vulnerability in outdated forum software. The attackers accessed personal data including names, email addresses, encrypted passwords, phone numbers, and linked Facebook session information. The intrusion occurred prior to October 2016, though the perpetrators remained unidentified. This incident followed a pattern of similar breaches affecting unpatched vBulletin-based platforms globally, highlighting systemic security risks associated with unmaintained software. The compromised service ranks among Pakistan's most visited websites, serving as a critical marketplace for vehicle transactions and automotive discussions since its founding.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In late December 2016, PakWheels, Pakistan’s largest automotive classifieds platform, notified users via email that an unauthorized third party had breached its systems, compromising registered user data. The breach exploited a known vulnerability in the site’s outdated vBulletin forum software, though the exact intrusion date remained unspecified beyond occurring prior to October 2016. While PakWheels did not publicly disclose the scale of the compromise, external analysis by LeakedSource revealed that 674,775 user accounts were exfiltrated, containing names, email addresses, encrypted passwords, mobile phone numbers, and Facebook session data. The company’s December 26 notification email confirmed the breach but provided no technical details about the attacker’s identity or methodology beyond the vBulletin exploit. Founded in 2003 as Pakistan’s primary automotive enthusiast and sales platform, PakWheels ranked among the country’s top 67 websites by traffic at the time of the incident, amplifying the breach’s potential impact. No evidence suggested financial data was compromised, but the exposure of Facebook session tokens created secondary authentication risks for users who linked social media accounts.
The incident marked Pakistan’s second major corporate data breach in 2016, following the May intrusion of real estate portal Zameen by a Bangladeshi hacker. PakWheels’ breach reflected a broader pattern of vBulletin-related compromises throughout 2016, including high-profile incidents affecting Clash of Kings (1.6 million accounts), Epic Games (800,000 accounts), and Mail.ru (27 million accounts). The company directed users to reset passwords immediately, particularly those using Facebook credentials for site access, but did not specify whether it had patched the vBulletin vulnerability or implemented additional security measures post-breach. Alexa traffic rankings confirmed PakWheels’ continued operational status following disclosure, with no reported service disruptions. LeakedSource’s involvement in validating the breach scope highlighted third-party monitoring of such incidents, though the origin of the PakWheels data provided to them remained unclear. The breach underscored persistent risks associated with unpatched forum software in regional web platforms handling sensitive user information.