Members of an underground criminal community that hack massive companies, steal swathes of cryptocurrency, and even commission robberies or shootings against members of the public or one another have an unusual method for digging up personal information on a target: the truck and trailer rental company U-Haul. With access to U-Haul employee accounts, hackers can lookup a U-Haul customer’s personal data, and with that try to social engineer their way into the target’s online accounts. Or potentially target them with violence too.

The news shows how members of the community, known as the Com and composed of potentially a thousand people who coalesce on Telegram and Discord, use essentially any information available to them to dox or hack people, no matter how obscure. It also provides context as to why U-Haul may have been targeted repeatedly in recent years, with the company previously disclosing multiple data breaches. 

“U-Haul has lots of information, it can be used for all sorts of stuff. One of the primary cases is for doxing targs [targets] since they [seem] to have information not found online and ofc U-Haul has confirmed this info with the person prior,” Pontifex, the administrator of a phishing tool which advertises the ability to harvest U-Haul logins, told 404 Media in an online chat. The tool, called Suite, also advertises phishing pages for Gmail, Coinbase, and the major U.S. carriers T-Mobile, AT&T, and Verizon.

Specifically, Pontifex said the U-Haul phishing page is a clone of the official point-of-sale (POS) login page, which is used by U-Haul workers. Once inside, hackers can “look up customer info from an email and it gives back their name, address, phone number and last 4 billing,” Pontifex said. This information can be used to then socially engineer access to major ISP emails such as Comcast, Pontifex added.

“There is a ton of stuff you can actually do from the POS panel,” they said.

Multiple people have advertised harvested U-Haul logins in fraud and hacking focused Telegram groups, according to a 404 Media review of those channels. 

“U-HAUL POS LOGIN. Allows you to easily dox emails and phone numbers,” one message reads.

These advertisements are in channels associated with the Com, a nebulous network of hackers, fraudsters, gamers, people who hang out on Discord, and girls who are sometimes groomed by other participants. Activities include SIM swapping, stealing cryptocurrency, and hacking corporations. There is some overlap with the nexus of activity dubbed Scattered Spider, which is linked to the hack of MGM Resorts last year. To stay one step ahead of other criminals who want to rob or harm them, some members “Airbnb hop,” which involves booking Airbnbs under false identities and regularly moving from location to location, 404 Media previously reported.

U-Haul did not respond to multiple requests for comment from 404 Media, the first being in September. 

In September 2022, U-Haul announced a hacker broke into the company’s systems and used an internal tool to lookup customer contracts. In February 2024, U-Haul provided information on another recent breach in which a hacker used “legitimate credentials” to access a system U-Haul dealers use to track reservations and view customer records, The Record reported.

In another example of how the Com sources data, 404 Media previously reported on the complex supply chain that starts with people giving their addresses to credit card companies, and ends with bots on Telegram able to dox essentially anyone in America for $15.

After an avalanche of lawsuits over scraping everyone’s copyrighted works for their LLMs to regurgitate, OpenAI promised in May 2024 to develop a “Media Manager” tool to let creators opt their works out of training. OpenAI said this would be in place “by 2025.” [OpenAI, archive]

You’ll be utterly unsurprised to hear that Media Manager is not in place as of 2025. You might even think this was all a PR stunt they had no intention of delivering on. [TechCrunch]

“I don’t think it was a priority,” one former OpenAI employee told TechCrunch. “To be honest, I don’t remember anyone working on it.”

It’s unclear how a Media Manager as OpenAI describes it could ever have worked in the first place. LLMs are lossy compression for text. The source texts are fed in and set as weights in the LLM.

You can’t go in and cleanly delete the weights from that source text and not other source texts without retraining the whole LLM afresh.

It’s like making soup then saying you can just delete the garlic.

To see how hard it is in practice to remove text from LLMs, look at the kludged solutions to removing defamatory output — the companies put a crude filter on, and maybe add new text with updated information.

In any case, opt-out isn’t how copyright law works. All works are born copyrighted. If you want to use a work, you have to license it beforehand, not tell the owner to opt out of your use after the fact.

Capabilities used in or justified by extreme circumstances often become commonplace and are used for much more mundane things in the future. And so the remote investigative actions taken by Elon Musk in Wednesday’s Cybertruck explosion in Las Vegas are a warning and a reminder that Tesla owners do not actually own their Teslas, and that cars, broadly speaking, are increasingly spying on their owners and the people around them.

After the Cybertruck explosion outside of the Trump International Hotel in Vegas on Wednesday, Elon Musk remotely unlocked the Cybertruck for law enforcement and provided video from charging stations that the truck had visited to track the vehicle’s location, according to information released by law enforcement. 

“We have to thank Elon Musk specifically, he gave us quite a bit of additional information in regards to—the vehicle was locked due to the nature of the force from the explosion, as well as being able to capture all of the video from Tesla charging stations across the country, he sent that directly to us, so I appreciate his help on that,” Clark County Police sheriff Kevin McKahill said in a press conference.  

The fact that the CEO of a car company or someone working on his behalf can—and did—remotely unlock a specific vehicle and has the means of tracking its location as well as what Musk described as the vehicle’s “telemetry” is not surprising given everything we have learned about newer vehicles and Teslas in particular. But it is a stark reminder that while you may be able to drive your car, you increasingly do not own it, that the company that manufactured it can inject themselves into the experience whenever it wants, and that information from your private vehicle can be provided to law enforcement. Though Musk is being thanked directly by law enforcement, it is not clear whether Musk himself is performing these actions or whether he’s directing Tesla employees to  do so, but Tesla having and using these powers is concerning regardless of who is doing it.

With Teslas, it is not just remote unlocking and tracking ability that shows who holds the power here. It’s the fact that Teslas are incredibly difficult for independent repair shops to fix. It’s the subscription “Premium Connectivity” entertainment features. It’s the fact that entire feature sets like “full self driving,” which are built into the car’s hardware, can only be unlocked with expensive software purchases or subscriptions. It’s the fact that random Tesla workers spied on customers using onboard cameras and shared them with each other. It’s the fact that cops see Teslas near crime scenes as potential sources of video footage. 

It’s the fact that “full self-driving” is being used to train Tesla’s broader self-driving program, which is a software product and which will inevitably become some sort of revenue share or rideshare robotaxi product. All of these “features” are something that is fundamentally incompatible with the concept of individual ownership, and a shift in what we traditionally think of when we purchase a car (or any other product). 

We still don’t know that much about Wednesday’s explosion, but Musk and police are operating under the current assumption that this was an intentional car bomb. Under such extreme circumstances, it’s easy to look at the way Musk is proactively helping the police and say that it’s the right thing to do, or a normal thing to do. But surveillance and data collection and sharing that is justified or trialed in extreme situations one day becomes commonplace for more run-of-the-mill situations later on. In the aftermath of the San Bernardino mass shooting, Apple famously refused to help law enforcement break into the shooter’s iPhone or undermine its security because doing so would lead to less privacy for everyone. The type of third-party hacking capability that the FBI used to eventually get into the shooter's iPhone in what was then an extreme occurrence is now a capability that even local police have and is used every single day.

We already know that cars are increasingly spying on their drivers and the world around them, and that this data is not just being shared with law enforcement, it’s being used to make money from customers. Last year, the New York Times’s Kashmir Hill did a series of investigations about how connected cars record telemetry about their drivers and shares it with data brokers and insurance companies. This is not just a Tesla problem. But the ability for a vindictive, politics-obsessed CEO to control and monitor the cars his company makes is particularly chilling.