The data comes from a now defunct racing forum called DownForce, which closed several years ago, leaving Vickery to question why the data was kept in the first place.
DownForce was part of a fan package offered by IndyCar. Based on website archives, for a one-time administrative fee of $28.99, plus a yearly fee of $13.99, racing fans could get access to a number of exclusives, including a private message board for "the INDY DownForce community."
The databases exposed by IndyCar's Rsync configuration were mostly related to day-to-day operations, including employee login credentials.
However, Vickery also discovered the DownForce backup, which contains a user's first and last name, date of birth, gender, mailing address, password hash, security question, and the corresponding answer.
Some of that data was collected during the DownForce registration process, but it isn't clear if the databases overlapped or if a DownForce member had to register twice.
"It’s important to point out that the IndyCar bulletin board these accounts come from has since been retired. So, there is no need to change your IndyCar forum login password," Vickery wrote in a blog post on the discovery.
While it's true the data exposed by this Rsync issue is old, that doesn't mean it shouldn't be protected. Moreover, why was it there in the first place?
"That’s nothing but liability. They are putting customers at risk for no gain," Vickery added.
"I can only assume the attorneys and risk-management folks working for IndyCar were unaware that defunct forum logins were being stored."
Salted Hash has reached out to IndyCar for comment. This story will be updated should they respond.
On Twitter, the person managing the IndyCar account told Vickery the company was handling the issue, and that they "hope to have it resolved very soon." CSO/DSG