How Misconfigured Cloud Buckets Exposed BMW and Mercedes Secrets – Lessons for Secure Cloud Practices

TechCrunch reported that BMW suffered a serious cloud storage misconfiguration on Microsoft Azure, where a storage bucket was mistakenly set to public access. Security researcher Can Yoleri discovered the bucket contained BMW's private keys, internal data, and credentials for production and development databases.

The exposure of private keys could allow attackers to hijack BMW's cloud services, steal additional data, or conduct malicious operations. The full extent of the leaked data and its time on the internet remain unknown.

Earlier, in February, Cybernews researchers found unprotected .env and .git files on the BMW Italy website, which, while not directly exploitable, could be used for reconnaissance and potentially lead to further attacks.

In a similar incident, Mercedes‑Benz’s internal GitHub Enterprise server was exposed after a public repository contained a private GitHub key, granting unrestricted access to source code, database connection strings, cloud access keys, design documents, SSO passwords, and API keys.

These back‑to‑back breaches illustrate how common configuration mistakes—such as overly permissive storage bucket settings, weak password policies, and poor key management—remain a leading cause of data loss. Gartner reported that 80% of breaches stem from misconfigurations, a figure expected to exceed 90% by 2025.

Expert Recommendations for Preventing Cloud Configuration Errors

Understand Cloud Services and Their Settings : Familiarize yourself with the security features and configuration options of any cloud service you use, and verify proper settings with the provider.

Apply the Principle of Least Privilege : Grant only the minimum permissions required for users or applications to perform their tasks.

Conduct Regular Reviews and Monitoring : Continuously audit cloud configurations and access logs using provider tools to detect unauthorized changes promptly.

Automate Configuration Management : Use automation tools to enforce consistent, secure configurations and apply updates or patches automatically.

Strengthen Authentication and Access Controls : Implement strong password policies, multi‑factor authentication, and strict access control lists.

Maintain Regular Updates and Backups : Keep cloud services and applications up to date, and regularly back up configurations and data to enable rapid recovery after incidents.