BMW security error left valuable private company data exposed online

An abstract image of a database
(Image credit: Image Credit: Pixabay)

Automotive giant BMW kept a cloud storage server hosting sensitive data such as private keys and internal information unprotected on the internet, and available to anyone who knew exactly where to look.

Security researcher Can Yoleri approached TechCrunch claiming to have found a Microsoft Azure bucket that was misconfigured, and thus set to be public instead of private.

Yoleri explained that the bucket held “script files that include Azure container access information, secret keys for accessing private bucket addresses, and details about other cloud services.” He also found private keys for BMW’s cloud services in China, Europe, and the US. The bucket also contained login credentials for BMW’s production and development databases.

No evidence of file tampering

The logical conclusion here is that if Yoleri could find it - so can malicious actors. Unfortunately, only BMW can say for how long the database remained unprotected, and if anyone accessed it beforehand. 

The carmaker’s spokesperson told the publication that there was no evidence the incident affected customers, or personal data. The database was locked down at the beginning of 2024, the spokesperson confirmed. However, not finding evidence and something not happening at all are, obviously, two entirely different things. Whether or not someone steps forward with a database remains to be seen.

However, the worst part is that BMW did not change the secrets that were hosted in the database, Yoleri said. If someone accessed it in the past, it doesn’t matter that it’s now locked down - the credentials and other secrets in there are still valid, and valuable. We’re still waiting on confirmation that BMW has revoked the secrets.

Unprotected and misconfigured databases remain one of the most common causes of data leaks and spills today.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.