X

A Tesla forum user was mistakenly given access to 1.5 million accounts

The user, Daniel Eleff, reported the error to Tesla, and no evidence of misuse was found during an internal audit.

Kyle Hyatt Former news and features editor
Kyle Hyatt (he/him/his) hails originally from the Pacific Northwest, but has long called Los Angeles home. He's had a lifelong obsession with cars and motorcycles (both old and new).
Kyle Hyatt
2 min read
2018 Westworld panel at SXSW. Cast and showrunners provide an inside look at the award-winning Show
Enlarge Image
2018 Westworld panel at SXSW. Cast and showrunners provide an inside look at the award-winning Show

"What? Infosec on the forums, man? Far out, man."

FilmMagic/Getty Images

Daniel Eleff is a Tesla Model 3 customer who was experiencing some unpleasantness during his delivery process. He took to Tesla's official forums to talk about it, and that set off a whole chain of events that led him to have access to over 1.5 million forum-users' information, which he outlined in a post on his website on Saturday.

First, we should start by saying that Tesla's forums are dated, to say the least. Dan points out in his post that users can't upload images or edit posts. There also doesn't appear to be any visible moderation or company involvement in the forums. This caused Eleff to call Tesla's customer service when his post disappeared, asking to be listed as an owner on the forum -- since non-owners are limited to one thread per day, and he did, in fact, own a Tesla -- to expand his posting privileges.
Tesla's customer service agent was allegedly baffled by Eleff's request for forum support and promised to forward the request to the IT department. When Eleff checked back on the forum around an hour later, he found he'd been given full administrator powers over the entire forum. This gave him the ability to edit and delete posts, as well as restore posts that had been removed -- including his own. It also gave him access to the personal information of all 1.5 million members of the forum.

tess66
Enlarge Image
tess66

This screen capture of the Tesla Forum is what it looked like normally to user Daniel Eleff of DansDeals.com.

Daniel Eleff/DansDeals.com

We'll let that sink in for a second, because that's a pretty sizable breach of infosec.

"The customer was inadvertently granted a higher level of permissions than he should have had to the Tesla forum, which is not connected to our vehicles, main website, or other digital channels," said Tesla representatives in a statement to Roadshow. "We revoked the access as soon as it was reported, and made other changes to adjust privileges accordingly following a full audit. We have no reason to believe that there was any abuse of accounts or content on our forums, and we have taken steps to ensure this does not happen again."

He also found that he wasn't the only person listed as an administrator without an "@tesla.com" email address. There were numerous other examples, which he guessed had been given access the same way he had. Thankfully, Mr. Eleff opted to report the issue to Tesla rather than going on some crazy forum rampage with his newfound powers.

Tesla's Model 3 Performance subtly adds the power

See all photos