Technology news site TechCrunch has learned that BMW’s cloud storage server was set up incorrectly, letting private keys and internal business data become public.
TechCrunch talked to Can Yoleri, a security expert at threat intelligence company SOCRadar, who said that he found the open BMW cloud storage server while he was regularly scanning the internet.
Yoleri said that the exposed storage server housed by Microsoft Azure, which is also called a “bucket,” in BMW’s development environment was “mistretched and set to be public instead of private.”
The storage bucket also had “script files that include Azure container access information, secret keys for accessing private bucket addresses, and information about other cloud services,” Yoleri said.
Photographs given to TechCrunch show that the information that was leaked included login information for BMW’s production and development databases as well as secret keys for its cloud services in China, Europe, and the US.
No one knows for sure how long the cloud bucket was open to the internet or how much data was leaked. The biggest unknown in public bucket problems is this, Yoleri told TechCrunch. “The owner of the bucket is the only one who can see how long it’s been open.”
Chris Overall, a spokesman for BMW, told TechCrunch by email that the data breach happened in a Microsoft Azure bucket that was used for storage development. He also said that no personal or customer data was affected.
The representative also said, “This problem was fixed by the BMW Group at the start of 2024, and we are still keeping an eye on it with our partners.”
BMW wouldn’t say how long the storage bucket was open to the public or if it had seen any bad people accessing the data that was open to the public. It’s possible that someone was trying to do harm, but Yoleri said, “That does not mean it doesn’t exist.”
Yoleri told TechCrunch that even though BMW made the bucket private after he told them about what he found, the company has not changed or revoked the passwords and identities that were in the public cloud bucket.
“These access keys had to be changed even though the bucket was made private.” “Whether the bucket is private or not now doesn’t matter,” Yoleri said. He also said that he tried to get in touch with BMW about this new problem but didn’t hear back.
Also Read: The Ntsb Paid Too Much Attention to That Super Bowl Ad That Was Against Tesla
Last month, Mercedes-Benz admitted that it accidentally shared a lot of secret data online by leaving a private key online that gave anyone “unrestricted access” to its source code. TechCrunch told Mercedes about the security hole, and the company said it had “revoked the respective API token and removed the public repository immediately.”
What do you say about this story? Visit Parhlo World For more.
