• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

SharePoint under fire: new ToolShell attacks target enterprises

 | 

CrushFTP zero-day actively exploited at least since July 18

 | 

Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

 | 

MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

 | 

U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

 | 

Microsoft issues emergency patches for SharePoint zero-days exploited in "ToolShell" attacks

 | 

SharePoint zero-day CVE-2025-53770 actively exploited in the wild

 | 

Singapore warns China-linked group UNC3886 targets its critical infrastructure

 | 

U.S. CISA adds Fortinet FortiWeb flaw to its Known Exploited Vulnerabilities catalog

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 54

 | 

Security Affairs newsletter Round 533 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

Radiology Associates of Richmond data breach impacts 1.4 million people

 | 

Fortinet FortiWeb flaw CVE-2025-25257 exploited hours after PoC release

 | 

Authorities released free decryptor for Phobos and 8base ransomware

 | 

Anne Arundel Dermatology data breach impacts 1.9 million people

 | 

LameHug: first AI-Powered malware linked to Russia’s APT28

 | 

5 Features Every AI-Powered SOC Platform Needs in 2025

 | 

Broadcom patches critical VMware flaws exploited at Pwn2Own Berlin 2025

 | 

Stormous Ransomware gang targets North Country HealthCare, claims 600K patient data stolen

 | 

United Natural Foods Expects $400M revenue impact from June cyber attack

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Data Breach
  • BMW dealer at risk of takeover by cybercriminals

BMW dealer at risk of takeover by cybercriminals

Pierluigi Paganini December 20, 2023

By neglecting to set a password, a BMW dealer in India has jeopardized the entire network of car dealerships in the country and put its clients at risk.

The Cybernews research team has discovered that the Bengaluru branch of BMW Kun Exclusive, a BMW dealership in India, has exposed sensitive data to the public.

The data leak could have resulted in unauthorized access to sensitive clients’ and business data or even a full takeover of the BMW outlet’s internal systems by threat actors.

The BMW Kun Exclusive put its systems at risk by leaving an environment configuration file (.env) accessible to the public.

The file contained credentials for various business accounts throughout India, including 19 other dealerships, logins to the platform to send marketing-related SMS, tokens, and API keys that give access to internal systems and their own WhatsApp account.

Cybernews reached out to the company for an official comment but has yet to receive a reply.

BMW India data leak

Cybersecurity neglect puts companies at risk

Exposing an .env file poses a significant risk, as the file stored credentials in plaintext for various accounts of dealerships both in and outside India. Cybernews has no information on how the companies are connected.

List of dealerships with leaked credentials:

  • BMW Bird Automotive
  • BMW EVM Autokraft
  • BMW Infinity Cars
  • BMW Krishna Automobiles
  • BMW Munich Motors
  • BMW Navnit Motors
  • BMW Speed Motorwagen
  • BMW Titanium Autos
  • BMW Varsha Autohaus
  • BMW Bavaria Motors
  • BMW Eminent Cars
  • BMW Sanghi Classic
  • BMW OSL Prestige
  • BMW Gallops Autohaus
  • BMW Enterprise BMW

Apart from being left accessible to the public, the fact that credentials were saved in plain text already shows weak cybersecurity practices. This kind of cybersecurity neglect potentially enabled malicious actors to gain unauthorized access to the dealership’s systems and databases.

This could encompass customer information, sales records, and financial data. As a result, there’s an elevated risk of sensitive information being stolen and misused for activities such as identity theft, fraud, or sale on the dark web.

The environment file also exposed the username, Entity ID, and password for the platform that’s used to send SMSs to clients. In the hands of cybercriminals, these credentials could be used to impersonate BMW Kun Exclusive and carry out fraud or smishing attacks, potentially leading to financial losses for victims and reputational damage for BMW.

API keys exposed

The leaked file also included API keys, usernames, secrets, hashes, tokens, and signatures. The primary and immediate concern is that threat actors could have potentially accessed systems, services, or data protected by the exposed API key.

Amongst the several APIs exposed, the most sensitive is the Oauth token endpoint, which might grant access to all the production APIs of BMW Kun Exclusive.

The list of exposed APIs:

  • Event API: enables communication and information sharing between software programs or services.
  • Testdrive system API: used to interact with clients and handle the testdriving system.
  • Request callback API: enabling third parties to connect with a system or service by requesting a callback.
  • BMW Kun Exclusive Whatsapp support API: used to facilitate communication between businesses and their customers on the messaging platform.
  • Oauth token endpoint

Exposing API keys, especially when those APIs provide access to confidential or sensitive user data, could lead to data breaches.

Leaking the Testdrive system API may result in data breaches that reveal sensitive data such as contact and data of clients who signed up for test drives with Kun Exclusive BMW. Cybercriminals could use the API to obtain more personal information and carry out identity theft and other fraudulent acts.

Leaking the Whatsapp API poses a risk of threat actors accessing WhatsApp’s support system, leading to data breaches and improper use of the company’s official communication channel.

The exposure of the Request Callback API raises the concern that sensitive data might be exposed or leaked. This is particularly troubling because there’s a high likelihood that the exposed API provides access to clients’ personal data, initially provided to Kun Exclusive BMW for contact purposes.

Insufficiently securing APIs leaves them vulnerable to data manipulation. Leaked keys usually allow attackers to steal, modify, or delete data, posing significant security risks. The exposure of API signatures can have profound implications for the authenticity and integrity of requests sent to an API, as these signatures often serve as a means of verification.

The additional risk of exposed API keys and secrets lies in the attackers potentially exploiting them to disrupt BMW dealership services, employing tactics such as flooding servers with requests (DDoS attacks) or unauthorized alteration of configurations.

BMW India data leak

If you want to learn more about how BMW Kun Exclusive can mitigate the risks take a look at the original post at:

https://cybernews.com/security/bmw-india-data-leak/

About the author: Paulina Okunytė, Journalist at Cybernews

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BMW dealer)


facebook linkedin twitter

BMW dealer data leak hacking news India information security news IT Information Security Pierluigi Paganini Security Affairs Security News

you might also like

Pierluigi Paganini July 22, 2025
SharePoint under fire: new ToolShell attacks target enterprises
Read more
Pierluigi Paganini July 22, 2025
CrushFTP zero-day actively exploited at least since July 18
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    SharePoint under fire: new ToolShell attacks target enterprises

    Hacking / July 22, 2025

    CrushFTP zero-day actively exploited at least since July 18

    Hacking / July 22, 2025

    Hardcoded credentials found in HPE Aruba Instant On Wi-Fi devices

    Security / July 22, 2025

    MuddyWater deploys new DCHSpy variants amid Iran-Israel conflict

    APT / July 21, 2025

    U.S. CISA urges to immediately patch Microsoft SharePoint flaw adding it to its Known Exploited Vulnerabilities catalog

    Hacking / July 21, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT