A Mercedes-Benz developer accidentally leaked a private key, causing the entire company's source code and other keys to be leaked

The AWS and Microsoft Azure connection keys can be used to log in to Mercedes-Benz servers hosted by AWS and Microsoft, which may lead to the exposure of more private data.

Developer accidentally exposed token on GitHub:

GitHub allows developers to generate authentication tokens as an alternative to passwords. Mercedes-Benz employees accidentally exposed their tokens in a public GitHub, which means that anyone who gets the token can directly access Mercedes-Benz's GitHub Enterprise Server and download all data.

RedHuntLabs browsed some of the data for security verification purposes and found that it also contained AWS and Azure keys, Postgres databases and other Mercedes source codes.

The security company then contacted Mercedes-Benz for feedback through TechCrunch. After receiving the feedback, Mercedes-Benz immediately confirmed the problem and revoked the token, and at the same time deleted the entire repository that exposed the token.

It is unclear whether the data was leaked:

Scans show that Mercedes-Benz employees accidentally exposed their authentication tokens in late September 2023, which means that it has been several months since the revocation. In these months, other hackers will inevitably scan the tokens and steal all data.

Unfortunately, Mercedes-Benz declined to say whether it knew any third party had access to the exposed data, or whether the company had the ability to check for unusual access to the data, which would likely require a complete review of logs from the past few months.