October 31, 2025
Keys on aisle homepage
Hacking India's largest automaker: Tata Motors
Exposed keys, no passwords, and 70TB of secrets — the internet is roasting
TLDR: A researcher says exposed keys and no-password logins revealed huge troves of Tata Motors data. Commenters are stunned, demand real rewards for reporting bugs, and link the mess to wider corporate tech failures — making this a cautionary tale on basic security done wrong.
Commenters didn’t hold back after a hacker found Amazon cloud keys literally sitting on a Tata Motors parts website. In simple terms: those keys are like the company’s house keys, and they were taped to the front door. The community gasped at the idea that a 4 KB tax code file was the reason those keys were exposed, while unlocking access to piles of sensitive data — an estimated 70 TB worth — across countless storage buckets. And the drama escalated: a fleet tracking site had “encrypted” keys that were easily decrypted on the visitor’s computer, plus a Tableau dashboard that let you log in as anyone, no password needed. The vibes? Stunned, snarky, and slightly horrified.
The hottest thread was about rewarding responsible disclosure — the author reportedly got only a “thank you,” prompting a chorus of “pay the bug bounty.” Others connected dots to the Jaguar Land Rover fiasco and pointed at Tata Consultancy Services (link) with a knowing “IYKYK.” A few commenters threw sweeping shade at Indian corporate security, which sparked pushback from folks reminding everyone that big western brands mess up too. Meanwhile, jokes flew: “Keys as coupon codes,” “Table-oh-no,” and “FleetEdge? More like FleetSledge.” The consensus mood: this wasn’t just a slip-up — it was a full-on security soap opera.
Key Points
- •Two sets of AWS keys were exposed on Tata Motors websites, granting access to hundreds of S3 buckets and over 70 TB of data.
- •E-Dukaan contained plaintext AWS keys, exposing customer databases, market intelligence, invoices with personal data, and ~40 GB of admin reports; the keys fetched a small tax code file.
- •FleetEdge returned encrypted AWS keys that were trivially decrypted client-side, exposing a large data lake (files dating back to 1996) and enabling write access to some websites.
- •A Tableau backdoor allowed passwordless logins as any user, including server admin, exposing internal projects, dealer dashboards, and financial reports; the flaw is believed to be introduced by Tata.
- •An exposed Azuga API key compromised a test drive fleet management system; all credentials shown were rotated and no substantial data was downloaded.