A Tesla forum user was mistakenly given access to 1.5 million accounts
The user, Daniel Eleff, reported the error to Tesla, and no evidence of misuse was found during an internal audit.
Daniel Eleff is a Tesla Model 3 customer who was experiencing some unpleasantness during his delivery process. He took to Tesla's official forums to talk about it, and that set off a whole chain of events that led him to have access to over 1.5 million forum-users' information, which he outlined in a post on his website on Saturday.
First, we should start by saying that Tesla's forums are dated, to say the least. Dan points out in his post that users can't upload images or edit posts. There also doesn't appear to be any visible moderation or company involvement in the forums. This caused Eleff to call Tesla's customer service when his post disappeared, asking to be listed as an owner on the forum -- since non-owners are limited to one thread per day, and he did, in fact, own a Tesla -- to expand his posting privileges.
Tesla's customer service agent was allegedly baffled by Eleff's request for forum support and promised to forward the request to the IT department. When Eleff checked back on the forum around an hour later, he found he'd been given full administrator powers over the entire forum. This gave him the ability to edit and delete posts, as well as restore posts that had been removed -- including his own. It also gave him access to the personal information of all 1.5 million members of the forum.
We'll let that sink in for a second, because that's a pretty sizable breach of infosec.
"The customer was inadvertently granted a higher level of permissions than he should have had to the Tesla forum, which is not connected to our vehicles, main website, or other digital channels," said Tesla representatives in a statement to Roadshow. "We revoked the access as soon as it was reported, and made other changes to adjust privileges accordingly following a full audit. We have no reason to believe that there was any abuse of accounts or content on our forums, and we have taken steps to ensure this does not happen again."
He also found that he wasn't the only person listed as an administrator without an "@tesla.com" email address. There were numerous other examples, which he guessed had been given access the same way he had. Thankfully, Mr. Eleff opted to report the issue to Tesla rather than going on some crazy forum rampage with his newfound powers.