U-Haul tells 67K customers that cyber-crooks drove away with their personal info

Thieves broke into IT system using stolen login

U-Haul is alerting tens of thousands of folks that miscreants used stolen credentials to break into one of its systems and access customer records that contained some personal data.

A U-Haul spokesperson told The Register that about 67,000 customers in the United States and Canada were affected, but declined to answer other questions about the security snafu.

The intrusion happened on December 5, according to letters going out this week to those affected. After investigating the break-in with the help of an outside cybersecurity firm, the moving and truck rental giant determined crooks accessed its U-Haul Dealer and Team Members system used to track reservations and view customer records. 

These customers' records contained personal information, including names, dates of birth, and driver license numbers. No financial information was stolen, according to U-Haul.

"The customer record system that was involved is not part of our payment system," the biz said in its notification letter [PDF]. "No payment card data was involved."

U-Haul says it hardened its security systems to help prevent future breaches. Specifically, this included changing passwords on compromised accounts and offering affected customers a free, one-year membership with Experian IdentityWorks Credit 3B.

While the U-Haul spokesperson declined to comment on how the criminals obtained the compromised credentials — eg, from an earlier data dump, or a social-engineering campaign — the incident illustrates how these types of identity-related attacks have skyrocketed over the past year.

IBM X-Force, in a threat intelligence report published earlier this week, reported a 71 percent year-over-year increase in the volume of attacks using valid credentials in 2023. 

In fact, compromised accounts represented 30 percent of all incidents that the IT giant's incident response team assisted with last year.

On a related note: X-Force also found that cloud account credentials make up 90 percent of for-sale cloud assets on the dark web.

Meanwhile, CrowdStrike's 2024 Global Threat Report, also published this week, found a similar increase in identity-related threats. In addition to using stolen credentials, the outfit's threat intel team spotted attackers targeting API keys and secrets, session cookies and tokens, one-time passwords, and Kerberos tickets.

"Threat actors have really focused on identity – taking a legitimate identity, logging in as a legitimate user, and then laying low, staying under the radar by living off the land and using legitimate tools," Adam Meyers, head of counter adversary operations at CrowdStrike, told The Register in an earlier interview. ®

More about


Send us news

Other stories you might like