Login credentials and other sensitive data from more than a half million vehicle tracking devices, which continually pinpoint vehicles’ locations, were left unprotected online. The exposed records belonging to SVR Tracking, headquartered in San Diego, were discovered by Kromtech security researchers.

Thanks to a misconfigured Amazon AWS S3 bucket, 540,642 account IDs which included logins were leaked online. However, Kromtech suggested the actual number of devices tied to those accounts could be “much larger, given the fact that many of the resellers or clients had large numbers of devices for tracking.”