A threat actor tracked as xpl0itts, collaborating with groups DarkRomance and teamPCP, claims an ongoing and expanding data exfiltration campaign against BMW and at least 35 additional automakers (including Toyota, Mazda, Audi, and Ford) via an Insecure Direct Object Reference (IDOR) vulnerability in BMW's infrastructure. The actor states exfiltration is still active, with data spanning Kubernetes infrastructure, tens of thousands of employee and customer PII records, internal configuration files, VIN databases, and internal chat logs from 26 car companies. No independent verification has been published, but the technical specificity and breadth of the claimed data, including a subdomain map of 60+ BMW Motorrad dealer portals, elevates this beyond routine dark web noise.

What Happened

The incident began as a BMW-specific breach leveraging an IDOR vulnerability, which xpl0itts has since escalated into a multi-party, multi-brand operation. In an update posted March 23, 2026, the actor announced that their access has expanded significantly through collaboration with DarkRomance, teamPCP, and one undisclosed group described as "already quite big."

The attacker states that BMW detected the intrusion and took the targeted database offline; but not before the group extracted data across 20,000 categories. Despite that partial containment, xpl0itts claims exfiltration is still ongoing across other connected systems and brands. A comprehensive data listing is being withheld until the group believes it has extracted everything available, at which point samples will be released publicly and a price will be set.

The actor also claims to have mapped nearly every BMW subsidiary and to hold internal chat logs from 26 automakers (suggesting access extended beyond API and database endpoints into internal communications infrastructure. Notably, the group claims to have discovered access to PetScreening during the operation but chose not to exploit it, instead notifying the company from a compromised ProtonMail account) a calculated move that signals operational control and selective escalation.

The IDOR vulnerability itself is being offered for sale separately, meaning other actors may acquire and exploit the same access vector.

What Was Taken

Claimed exfiltrated data categories include:

Why It Matters

The IDOR-as-pivot model is the story here. A single misconfigured access control vulnerability in one automaker's customer-facing or partner portal has apparently cascaded into access across 35+ brands. This is the multi-tenant and shared-infrastructure risk in practice: when one company's systems share APIs, data pipelines, or portal infrastructure with partners and subsidiaries, an IDOR in one endpoint can become a master key.

The automotive sector holds uniquely high-value data. VINs combined with owner PII enable targeted fraud, vehicle theft facilitation, and insurance fraud at scale. Kubernetes configuration data and internal subdomain maps give sophisticated actors a persistent blueprint for future intrusions. Internal chat logs from 26 companies represent months or years of business intelligence with potential corporate espionage value.

teamPCP's involvement is a significant escalation signal. TeamPCP was previously identified as the threat actor behind the Trivy vulnerability scanner supply chain attack in March 2026. Their presence in this collaboration suggests an organized, technically capable collective operating across multiple simultaneous campaigns; not isolated opportunists.

The "for sale" IDOR exploit multiplies the risk. Once the original vulnerability is commercialized, every actor who purchases it becomes a new threat to the same surface. BMW and its technology partners may be facing not one but multiple waves of exploitation from the same root cause.

The Attack Technique

Primary vector: Insecure Direct Object Reference (IDOR)

IDOR vulnerabilities occur when an application exposes internal object references (database record IDs, file paths, API endpoints) without proper authorization checks. An attacker who can enumerate or guess these references can access data belonging to any user or organization without needing stolen credentials. In this case, BMW's portal infrastructure apparently used predictable or insufficiently protected object references that allowed the attacker to traverse customer, employee, and partner data at scale.

Escalation path: The initial IDOR access was expanded via file upload vulnerabilities across additional portals (also offered for sale), Kubernetes data extraction, and what appears to be API enumeration across connected brand systems. The subdomain infrastructure mapping suggests the actor conducted systematic reconnaissance before pivoting.

Collaboration model: xpl0itts, DarkRomance, and teamPCP appear to be operating as a coordinated access broker / exfiltration team; one group finding and maintaining access, others assisting with data staging and extraction.

What Organizations Should Do

  1. Conduct an immediate IDOR audit across all customer-facing and partner-facing API endpoints. IDOR is among the most common and most impactful web application vulnerabilities. Every endpoint that returns data based on a user-supplied ID (order IDs, VIN lookups, customer record numbers) must enforce server-side authorization checks confirming the requesting user owns or is permitted to access the requested object. Do not rely on obscurity or client-side controls.

  2. Inventory and segment shared infrastructure with automotive partners and subsidiaries. If your VIN lookup API, dealer portal, or customer data pipeline is shared with or accessible from 35+ other companies' systems, a breach of any one node is a breach of all. Map the trust relationships, enforce API authentication at every boundary, and eliminate implicit cross-tenant data access.

  3. Implement Kubernetes hardening and network policy controls. K8s cluster data in attacker hands exposes your entire container infrastructure layout. Enforce RBAC, disable unauthenticated API server access, enable audit logging on the API server, and ensure cluster configs are not accessible from internet-facing systems. Treat K8s config files as secrets.

  4. Monitor for subdomain enumeration and abnormal API call patterns. The attacker mapped 60+ BMW Motorrad dealer subdomains; an activity that generates recognizable DNS query and HTTP request patterns. Web application firewalls and API gateways should flag high-volume enumeration behavior and rate-limit unauthenticated object access requests.

  5. Treat VIN + PII combinations as high-sensitivity regulated data. VIN-linked customer records enable downstream fraud that affects individual consumers, insurance companies, and law enforcement. Enforce DLP controls on datasets that combine VINs with personal identifiers, and establish breach notification workflows specific to automotive PII exposure.

  6. Track teamPCP as an active, multi-campaign threat actor. TeamPCP's appearance in both the Trivy supply chain attack and this automotive exfiltration campaign within weeks of each other indicates an organized group with technical depth and multiple simultaneous operations. Ensure your threat intelligence feeds are tracking this actor's TTPs and IOCs across both campaigns.

Sources