Ransomware victim disclosure
← All victimsVolkswagen Group
Claimed by Stormous · listed 1 year ago
Status timeline
- ListedMay 31, 2025
- Data leakeddate unknown
At a glance
- Group
- Stormous
- Status
- Data leaked
- Country
- Germany
- Sector
- Manufacturing
- Listed on leak site
- May 31, 2025
About the victim
AI dossier — public-source company profileVolkswagen Group is a multinational automotive conglomerate headquartered in Germany, operating multiple car brands including Volkswagen, Audi, Porsche, Škoda, Bentley, Lamborghini, and others, along with commercial vehicle and mobility divisions. The group is a major global manufacturer with significant operations across multiple continents.
- Industry
- Automotive Manufacturing
Attack summary
Severity: critical — Exfiltration of authentication tokens, OAuth credentials, and session management data for a major automotive manufacturer poses extreme risk for account takeover, lateral movement, and unauthorized access to internal systems and customer data. The scope indicators (email, profile, VIN, phone) suggest PII exposure at scale.Stormous claims to have accessed user account data and authentication infrastructure, including OAuth tokens, JWT tokens, session cookies, login links for internal identity systems, and access control details with associated scopes. The post indicates exfiltration of identity and authentication materials rather than operational encryption.
Data the group says was taken
AI dossier — extracted from the leak post- user account data
- OAuth tokens
- JWT tokens
- session cookies
- internal system login links
- authentication credentials
- identity information
- email addresses
- phone numbers
- VIN data
- access control scopes
What the group claims
User account data (partially hidden emails) Authentication tokens (OAuth tokens, JWT tokens) Login links for internal systems (e.g., https://identity.vwgroup.io) Session cookies (JSESSIONID and others) identity and access information (scopes such as email, profile, vin, phone, etc.) Authentication and access control details (redirect_uri, state, nonce)
Sources
Source
Indexed 1 year agoThis page surfaces a public ransomware disclosure indexed by Darkfield. Original posts come from the operator's own leak site; we cross-check against ransomware.live, RansomLook and RansomWatch where applicable. Share this URL freely.
Is this your supplier? Your competitor? You?
Pro plans monitor your domain, corporate emails, and crypto wallets across every new ransomware leak-site post, breach dump and Telegram callout — alerts within 5 minutes.

