A misconfigured cloud storage server at auto giant BMW exposed sensitive company information, including private keys and internal data, a TechCrunch investigation found.
Can Yoleri, a security researcher at threat intelligence firm SOCRadar, told TechCrunch that he discovered the exposed BMW cloud storage server while regularly scanning the internet.
Yorelli said that the Microsoft Azure-hosted storage servers (also known as “buckets”) exposed in BMW's development environment were “incorrectly configured as public instead of private due to a misconfiguration.” .
Yoleri added that the storage bucket contained “a script file containing Azure container access information, a private key to access the private bucket address, and other cloud service details.”
According to screenshots shared with TechCrunch, the leaked data included private keys for BMW's cloud services in China, Europe, and the United States, as well as login credentials for BMW's production and development databases.
It is not known exactly how much data was exposed or how long the cloud bucket was exposed to the internet. “Unfortunately, this is the biggest unknown with the publishing bucket issue,” Yorelli told TechCrunch. “Only the bucket owner can see when the bucket is actually open.”
BMW spokesperson Chris Overall confirmed to TechCrunch in an email that the data breach affected a Microsoft Azure bucket based on the storage development environment, saying that no customer or personal data was affected as a result. Ta.
The spokesperson added: “The BMW Group was able to resolve this issue in early 2024. We will continue to monitor the situation in cooperation with our partners.”
BMW did not say how long the storage buckets were exposed or whether malicious access to the exposed data was observed. Yoreli said that while there is no evidence of malicious access, “that doesn't mean it doesn't exist.”
Yoleri told TechCrunch that BMW made the bucket private after reporting its findings to the company, but the company does not revoke or change any set of passwords and credentials found in public cloud buckets. He said he has not done so.
“Even if you made the bucket private, you still had to change these access keys. It doesn't matter anymore whether the bucket is private or not,” Yorelli said. He added that he tried to contact BMW regarding this follow-up issue but received no response.
Mercedes-Benz admitted last month that it accidentally leaked large amounts of internal data after leaving a private key online that gave it “unrestricted access” to its source code. After TechCrunch revealed the security issues to Mercedes, the automaker said it “revoked each API token and immediately deleted the public repository.”