Security researcher Eaton Zveare disclosed that in 2023 multiple public-facing Tata Motors applications (notably the E-Dukaan marketplace and the FleetEdge fleet product) contained hardcoded or client-recoverable cloud credentials and API tokens that allowed access to hundreds of S3 buckets and an estimated 70+ TB of data — including customer records, invoices, internal reports and fleet telemetry. The issues were reported to CERT-IN on 8 Aug 2023 and Tata Motors has stated the flaws were remediated in 2023 (credentials later rotated).
E-Dukaan’s source code contained plaintext AWS access keys; FleetEdge returned what appeared to be “encrypted” keys in API responses but the client-side code contained the decryption routine, so an attacker could recover usable credentials. Those keys permitted broad S3 access (read and in some cases write), exposing databases, invoices (including PAN numbers reported), administrative reports, and a datalake estimated at ~70 TB.
The researcher also found a “trusted token” pattern that allowed passwordless access into internal Tableau dashboards (effectively a backdoor to impersonate users, including admin accounts), and an exposed Azuga API token in test-drive JavaScript that risked revealing or manipulating vehicle tracking data. The researcher reported no evidence of malicious exploitation prior to disclosure and states exposed secrets were later rotated.
Type
Research
Actors
Pub. date
October 28, 2025
Initial access
Exposed secret
Impact
Data exfiltration
Observed techniques
Vulnerability exploitationValid creds abuse
References
https://eaton-works.com/2025/10/28/tata-motors-hack/https://www.cyberaccord.com/tata-motors-breach-over-70-tb-of-sensitive-data-and-test-drive-information-leaked-through-aws-credentials/
Status
Finalized
Last edited
Oct 29, 2025 12:13 PM