Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

BMW security error left valuable private company data exposed online

An abstract image of a database.

Automotive giant BMW kept a cloud storage server hosting sensitive data such as private keys and internal information unprotected on the internet, and available to anyone who knew exactly where to look.

Security researcher Can Yoleri approached TechCrunch claiming to have found a Microsoft Azure bucket that was misconfigured, and thus set to be public instead of private.

Yoleri explained that the bucket held “script files that include Azure container access information, secret keys for accessing private bucket addresses, and details about other cloud services.” He also found private keys for BMW’s cloud services in China, Europe, and the US. The bucket also contained login credentials for BMW’s production and development databases.

No evidence of file tampering

The logical conclusion here is that if Yoleri could find it - so can malicious actors. Unfortunately, only BMW can say for how long the database remained unprotected, and if anyone accessed it beforehand. 

The carmaker’s spokesperson told the publication that there was no evidence the incident affected customers, or personal data. The database was locked down at the beginning of 2024, the spokesperson confirmed. However, not finding evidence and something not happening at all are, obviously, two entirely different things. Whether or not someone steps forward with a database remains to be seen.

However, the worst part is that BMW did not change the secrets that were hosted in the database, Yoleri said. If someone accessed it in the past, it doesn’t matter that it’s now locked down - the credentials and other secrets in there are still valid, and valuable. We’re still waiting on confirmation that BMW has revoked the secrets.

Unprotected and misconfigured databases remain one of the most common causes of data leaks and spills today.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.