Tata Motors has suffered a major data exposure after two AWS keys were found publicly accessible on the internet. The exposed credentials reportedly gave access to over 70 terabytes of internal data stored in hundreds of Amazon S3 buckets.
According to the security researcher who discovered the issue, the keys were not hidden deep inside complex systems. One key was found in plain text inside the source code of a public website. The other was encrypted on the client side but could easily be decrypted in the browser, making it effectively public.
These keys reportedly gave access to a vast amount of sensitive data. The researcher said the exposed buckets contained customer database backups, internal reports, invoices with personal information, and other confidential documents. Some of this data reportedly dated back several years, with one bucket alone holding more than 70 terabytes of files.
The researcher confirmed that no large-scale data downloads were made during the investigation, and there was no proof that malicious actors had accessed the exposed data. Still, the sheer scale of the exposure raises serious concerns about Tata Motors’ cloud security practices.
The issue went beyond AWS keys. The researcher also found a critical flaw in Tata Motors’ internal Tableau setup that allowed users to log in without a password using a simple token request. This flaw made it possible to impersonate any user, including administrators, and access internal dashboards, financial data, and project details.
A separate leak also exposed an active Azuga API key linked to Tata Motors’ test drive fleet management system. If exploited, it could have revealed live vehicle and tracking data.
The researcher reported these findings to CERT-IN and Tata Motors in August 2023. Despite multiple follow-ups over the next few months, some keys reportedly remained active for a while after the initial disclosure. Tata Motors and CERT-IN later confirmed that the exposed credentials had been revoked and the systems were secured.
This case highlights a common but serious mistake made by many companies—hardcoding API keys, using weak encryption, and leaving internal tokens publicly accessible.
For a global company like Tata Motors, such exposure is a major lapse in cloud security. While the issue has now been resolved, it serves as a strong reminder of the importance of strict access control, regular audits, and key rotation to prevent similar incidents in the future.
