A misconfigured cloud storage server belonging to automotive giant BMW exposed sensitive company information, including private keys and internal data, TechCrunch has learned.
Can Yoleri, a security researcher at threat intelligence company SOCRadar, told TechCrunch that he discovered the exposed BMW cloud storage server while routinely scanning the internet.
Yoleri said the exposed Microsoft Azure–hosted storage server — also known as a “bucket” — in BMW’s development environment was “accidentally configured to be public instead of private due to misconfiguration.”
Yoleri added that the storage bucket contained “script files that include Azure container access information, secret keys for accessing private bucket addresses, and details about other cloud services.”
Screenshots shared with TechCrunch show that the exposed data included private keys for BMW’s cloud services in China, Europe, and the United States, as well as login credentials for BMW’s production and development databases.
It’s not known exactly how much data was exposed or how long the cloud bucket was exposed to the internet. “Unfortunately, this is the biggest unknown in public bucket problems,” Yoleri told TechCrunch. “Only the bucket owner can see how long it has actually been open.”
When reached by email, BMW spokesperson Chris Overall confirmed to TechCrunch that the data exposure affected a Microsoft Azure bucket based in a storage development environment and said no customer or personal data was impacted as a result.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
The spokesperson added that “the BMW Group was able to fix this issue at the beginning of 2024, and we continue to monitor the situation together with our partners.”
BMW would not say for how long the storage bucket was exposed or whether it had observed any malicious access to the exposed data. Yoleri said that while he doesn’t have any evidence of malicious access, “that does not mean it doesn’t exist.”
Yoleri told TechCrunch that while BMW made the bucket private after he reported his findings to the company, the company has not revoked or changed the sets of passwords and credentials found within the exposed cloud bucket.
“Even if the bucket has been made private, it was necessary to change these access keys. It doesn’t matter if the bucket is private anymore,” Yoleri said. He added that he tried to reach out to BMW about this subsequent issue but did not receive a response.
Last month, Mercedes-Benz confirmed it accidentally exposed a trove of internal data after leaving a private key online that allowed “unrestricted access” to its source code. After TechCrunch disclosed the security issue to Mercedes, the carmaker said it had “revoked the respective API token and removed the public repository immediately.”
Hyundai Motor India fixes bug that exposed customers’ personal data
