A misconfigured cloud storage server belonging to automotive giant BMW exposed sensitive company information, including private keys and internal data, TechCrunch has learned.
Can Yoleri, a security researcher at threat intelligence company SOCRadar, told TechCrunch that he discovered the exposed BMW cloud storage server while routinely scanning the internet.
Yoleri said the exposed Microsoft Azure–hosted storage server — also known as a “bucket” — in BMW’s development environment was “accidentally configured to be public instead of private due to misconfiguration.”
Yoleri added that the storage bucket contained “script files that include Azure container access information, secret keys for accessing private bucket addresses, and details about other cloud services.”
Screenshots shared with TechCrunch show that the exposed data included private keys for BMW’s cloud services in China, Europe, and the United States, as well as login credentials for BMW’s production and development databases.
It’s not known exactly how much data was exposed or how long the cloud bucket was exposed to the internet. “Unfortunately, this is the biggest unknown in public bucket problems,” Yoleri told TechCrunch. “Only the bucket owner can see how long it has actually been open.”
When reached by email, BMW spokesperson Chris Overall confirmed to TechCrunch that the data exposure affected a Microsoft Azure bucket based in a storage development environment and said no customer or personal data was impacted as a result.
The spokesperson added that “the BMW Group was able to fix this issue at the beginning of 2024, and we continue to monitor the situation together with our partners.”
BMW would not say for how long the storage bucket was exposed or whether it had observed any malicious access to the exposed data. Yoleri said that while he doesn’t have any evidence of malicious access, “that does not mean it doesn’t exist.”
Yoleri told TechCrunch that while BMW made the bucket private after he reported his findings to the company, the company has not revoked or changed the sets of passwords and credentials found within the exposed cloud bucket.
“Even if the bucket has been made private, it was necessary to change these access keys. It doesn’t matter if the bucket is private anymore,” Yoleri said. He added that he tried to reach out to BMW about this subsequent issue but did not receive a response.
Last month, Mercedes-Benz confirmed it accidentally exposed a trove of internal data after leaving a private key online that allowed “unrestricted access” to its source code. After TechCrunch disclosed the security issue to Mercedes, the carmaker said it had “revoked the respective API token and removed the public repository immediately.”