Security researcher Eaton Zveare has disclosed a catastrophic data breach affecting Tata Motors, India's largest automaker, that exposed over 70 terabytes of highly sensitive corporate and customer information through critically misconfigured AWS credentials and poorly secured API endpoints. The vulnerabilities, discovered during ethical hacking assessments in 2023 but publicly disclosed only now, compromised customer databases, financial records, fleet management systems, and administrative dashboards accessible to millions of users worldwide.
The breach originated from hardcoded AWS access keys embedded in plaintext within the source code of E-Dukaan, Tata Motors' e-commerce platform for vehicle spare parts. These exposed credentials granted unrestricted access to multiple Amazon S3 storage buckets containing catastrophically sensitive information. Customer database backups, market intelligence reports, hundreds of thousands of invoices with personally identifiable information including names, addresses, and Indian PAN numbers all remained accessible to anyone with the credentials.
Compounding the exposure, approximately 40 gigabytes of administrative order reports were stored in a single bucket, providing attackers complete visibility into commercial operations. Remarkably, these extensively privileged AWS keys were actually used to download a single 4-kilobyte tax codes file a minuscule operational requirement that justified massive security risks.
The breach extended beyond E-Dukaan to FleetEdge, Tata Motors' fleet tracking and management platform serving enterprise clients. A second set of AWS credentials discovered encrypted client-side within API responses provided false security, as decryption keys remained accessible to attackers through browser-based code inspection. This second credential set exposed an additional bucket containing over 70 terabytes of historical fleet data spanning from 1996 to present, including write access to production websites.
Security researchers identified hardcoded credentials revealing a critical vulnerability in Tata Motors' Tableau analytics deployment. The authentication mechanism employed a "trusted token" model that required only a username and site name to obtain valid authentication tokens effectively bypassing password verification entirely.
Zveare demonstrated the ability to obtain valid authentication credentials and gain administrative access to Tableau dashboards, providing complete visibility into internal projects, financial reports, dealer performance scorecards, and metadata on over 8,000 users. By identifying server administrator credentials through dashboard metadata, attackers could escalate privileges to achieve full administrative control of the entire Tableau infrastructure.
This exposure granted unauthorized access to sensitive business intelligence used for dealer evaluations, sales forecasting, regional performance analysis, and strategic decision-making. The complete dashboard ecosystem became accessible to any individual with the compromised credentials, representing an extraordinary breach of operational security.
An additional layer of compromise emerged through discovered API credentials for Azuga, a third-party fleet management platform specifically used by Tata Motors to track test drive vehicles. The API key was exposed directly within JavaScript code on the test drive website, remaining fully functional and enabling unauthorized real-time location tracking of demonstration vehicles.
This exposure threatened operational security for test drive operations, potentially allowing attackers to identify vehicle locations, routes, and timing patterns. Verification confirmed the compromised token remained valid and could be leveraged for ongoing unauthorized access to the fleet management system.
Zveare responsibly disclosed all vulnerabilities through India's CERT-In on August 8, 2023, initiating a remediation process that proved frustratingly slow. Despite repeated follow-up communications, Tata Motors required until January 2024 to implement fixes a five-month remediation window for critical infrastructure exposures. Notably, the company confirmed addressing the issues in 2023 without notifying any affected parties, raising substantial questions about transparency and stakeholder communication.
The breach reflects multiple layers of security failures that should never have occurred in an organization of Tata Motors' scale and sophistication:
Client-Side Credential Encryption: Encryption within browser-accessible code provides zero meaningful security when decryption keys are simultaneously exposed.
Hardcoded Authentication Tokens: Production credentials embedded in source code represent catastrophic security practices.
Excessive Permission Scope: AWS credentials with unrestricted bucket access violate fundamental principle-of-least-privilege security models.
Inadequate Secret Rotation: Long-lived credentials without regular rotation increase breach impact window.
Insufficient Code Review: Security-critical credentials passing through code review processes indicates inadequate security awareness.
As India's largest automaker operating in 125 countries with operations affecting millions of customers, Tata Motors' security failures undermine global trust in data handling practices. The breach demonstrates that even major multinational corporations with substantial security budgets remain vulnerable to fundamental cloud configuration errors.
Industry experts emphasize that cloud credential management requires comprehensive secrets management systems, server-side authentication mechanisms, and regular security audits of exposed APIs and source code repositories.
The incident serves as a urgent reminder that technical sophistication matters far less than fundamental security hygiene and that even obvious misconfigurations can persist undetected for years within enterprise environments.