A faulty cloud storage server owned by automotive giant BMW exposed sensitive corporate information, including private keys and internal data, according to TechCrunch.
Can Yoleri, a security researcher at threat intelligence firm SOCRadar, told TechCrunch that he discovered the exposed BMW cloud storage server while regularly scanning the Internet.
Yoleri said the exposed Microsoft Azure-hosted storage server – also known as a “bucket” – in BMW’s development environment was “accidentally configured to be public instead of private due to a misconfiguration”.
Yoleri added that the storage bucket contained “script files that include access information to Azure containers, secret keys to access private bucket addresses, and details about other cloud services.”
Screenshots shared with TechCrunch show that the exposed data included private keys for BMW’s cloud services in China, Europe and the United States, as well as login credentials for BMW’s production and development databases.
It’s not known exactly how much data was exposed or how long the cloud bucket was exposed online. “Unfortunately, this is the biggest unknown in public bin problems,” Yoleri told TechCrunch. “Only the owner of the bin can see how long it’s actually been open.”
When reached via email, BMW spokesman Chris Overall confirmed to TechCrunch that the data exposure affected a Microsoft Azure bucket based storage development environment and said no customers or personal data were affected as a result.
The spokesperson added that “BMW Group was able to fix this problem in early 2024 and we continue to monitor the situation together with our partners.”
BMW did not say how long the storage bin was exposed or whether it had observed any malicious access to the exposed data. Yoleri said that while he has no evidence of malicious access, “that doesn’t mean it doesn’t exist.”
Yoleri told TechCrunch that while BMW made the bucket private after reporting its findings to the company, the company has not retracted or changed the password and credential sets found in the exposed cloud bucket.
“Even though the bucket has been made private, it was necessary to change those access keys. It doesn’t matter if the bucket is private anymore,” Yoleri said. He added that he tried to contact BMW about this next issue, but did not receive a response.
Last month, Mercedes-Benz confirmed it had accidentally exposed a trove of internal data after leaving a private key online that allowed “unrestricted access” to its source code. After TechCrunch disclosed the security issue to Mercedes, the automaker said it “revoked the corresponding API token and immediately removed it from the public repository.”
