Skip to content
Support
Sign In Subscribe
Data Breaches

Threat Actors Claim Expanded BMW Breach With IDOR Exploit, Employee and Customer PII, and Data From Mazda, Toyota, Audi, Ford, and 32 Additional Automakers

 and  Dark Web Informer
10 min read
Dark Web Informer - Cyber Threat Intelligence

Threat Actors Claim Expanded BMW Breach With IDOR Exploit, Employee and Customer PII, and Data From Mazda, Toyota, Audi, Ford, and 32 Additional Automakers

March 23, 2026 - 12:43:00 AM UTC
Germany (BMW HQ)
Automotive
Standalone API Access Now Available High-volume threat-intelligence data, automated ingestion endpoints, ransomware feeds, IOC data, and more.
View API
Unlock Exclusive Cyber Threat Intelligence
Powered by DarkWebInformer.com
Stay ahead of cyber threats with real-time breach tracking, expert analysis, and high quality evidence - built for security professionals, researchers, journalists, and everyday people who take their privacy seriously.
Subscribe Now

Quick Facts

Date & Time 2026-03-23 00:43:00 UTC
Threat Actor xpl0itts
Primary Victim BMW
Industry Automotive
Category Data Breach (Ongoing)
Automakers Affected 36+ Companies
Exfiltration Status Active / Ongoing
Collaborators DarkRomance, teamPCP, +1
Exploit Type IDOR
Network Open Web
Price TBD (New Post Coming)
Country Germany

Incident Overview

A threat actor going by xpl0itts has posted an update claiming their previous BMW IDOR and document breach has expanded significantly. The actor states they have partnered with other groups, and their access now extends well beyond the original scope. They claim the exfiltration is still actively ongoing, and that a new comprehensive listing will be posted once they believe they have extracted everything available.


The update lists the following new data categories that have been added since the original breach:

  • Kubernetes Leads: K8s infrastructure data from BMW's environment.
  • Employee and Customer PII: Tens of thousands of records with full names, addresses, vehicle information, and VINs from customers worldwide.
  • IDOR Exploit: The original Insecure Direct Object Reference vulnerability is still for sale.
  • Configuration Data: Internal configuration files from BMW systems.
  • API Data: Newly exfiltrated API-related data.
  • Subsidiary Mapping: Nearly every subsidiary owned by BMW has been mapped.
  • Additional Automakers: New car company data now includes Mazda, Toyota, Audi, Ford, and 32 additional manufacturers.
  • Multi-Brand PII: Hundreds of other brands' PII including brand names, connections, email addresses, links, phone numbers, preferred brand data, provider information, telefax numbers, websites, city, country, address, and title fields.
  • Gas Station Data: Newly acquired gas station records.
  • Order Data and Order PII: Customer order records and associated personal information.
  • VIN Lookups: Vehicle Identification Number lookup data.

The actor claims the target caught on and took their database offline, but not before the group managed to exfiltrate across 20,000 categories. They state they have data for every country's BMW group along with 26 other car companies' internal chats. The group also claims to have gained access to PetScreening but chose not to breach it, instead notifying them from a compromised ProtonMail account.


The post names three collaborating groups: DarkRomance, teamPCP, and one unnamed group described as "already quite big." The actor also mentions offering initial access via file upload and IDOR vulnerabilities across other portals. The listing explicitly states that no samples are provided yet because exfiltration is still in progress and they want to compile the best data before releasing samples publicly. The subdomain mapping screenshot shows approximately 60+ unique BMW Motorrad dealer subdomains along with functional subdomains including vehicle configurator, test environments, internal environments, and user portals.

Compromised Data Categories

Employee PII Customer PII (Global) Kubernetes / K8s Data Configuration Files API Data Subsidiary Mappings Vehicle Identification Numbers (VINs) Order Data & Order PII Gas Station Records Multi-Brand PII (36+ Companies) Dealer Subdomain Infrastructure Internal Environments & Portals IDOR Exploit (For Sale) Initial Access (File Upload / IDOR)

Image Preview

Forum post by xpl0itts detailing expanded BMW breach with new data categories, multi-automaker access, group collaborations, and BMW Motorrad subdomain mapping

Claim URL

Subscriber Access Required The original listing URL and unredacted claim images are available on the Threat Feed and Ransomware Feed for paid subscribers.
Subscribe
Subscriber Access View the original listing URL and unredacted claim images on the feeds below.
Threat Feed Ransomware Feed

MITRE ATT&CK Mapping

T1190 Exploit Public-Facing Application
Exploits an IDOR (Insecure Direct Object Reference) vulnerability in BMW's web infrastructure to gain unauthorized access to backend systems and data across multiple portals.
T1213 Data from Information Repositories
Extracts structured data across 20,000 categories from BMW's databases including customer records, employee PII, order data, VIN lookups, and subsidiary information.
T1580 Cloud Infrastructure Discovery
Maps Kubernetes infrastructure, enumerates 60+ dealer subdomains, and identifies internal environments, test portals, and vehicle configurator systems across BMW Motorrad.
T1530 Data from Cloud Storage
Accesses cloud-hosted databases and storage systems containing customer data for every country's BMW group along with 26 additional car companies' records.
T1078 Valid Accounts
Leverages compromised access and IDOR vulnerabilities to move laterally across BMW subsidiaries and partner systems, extending reach to 36+ automotive companies.
T1567 Exfiltration Over Web Service
Actively exfiltrating data through web services while advertising the breach and offering initial access via file upload and IDOR exploits to potential buyers.

Dark Web Informer © 2026 | Cyber Threat Intelligence
DarkWebInformer.com

Related

Latest