-
A threat actor claims to have leaked 23 Grupo ATC databases containing more than 340 GB of data.
-
The alleged records include authentication tokens, API credentials, employee details, and application passwords.
-
Grupo ATC and the companies mentioned have not confirmed the claims, and researchers have not independently verified them.

A threat actor claims to have published a massive cache of sensitive data allegedly stolen from Grupo ATC after failed ransom negotiations. The actor alleges the leak contains more than 23 databases, over 340 GB of information, and more than two billion unique records.
Daily Dark Web first reported the claims on X. According to the report, the alleged data came from the subsidiaries of Grupo ATC (TLEA, TLE, and PHES). However, Grupo ATC has not acknowledged the incident publicly. None of the organizations mentioned has confirmed a breach either. Independent researchers have also not verified the authenticity of the leaked data.
If the claims prove accurate, the incident could become one of the largest alleged supply chain data exposures involving the automotive and manufacturing industries.
Major Global Brands Allegedly Linked to the Leaked Data
The threat actor claims the leaked databases contain records tied to several multinational companies working with Grupo ATC. The list includes Tesla, Honda, Ford, Toyota, Hyundai, BMW, Nissan, General Motors, Mazda, Stellantis, Mabe, Nestlé, Penske, John Deere, and L’Oréal.
Despite those claims, no evidence currently suggests that any of those organizations suffered direct cyberattacks. There is also no indication that attackers compromised their internal networks or corporate infrastructure.
The threat actor further alleges the databases contain OAuth2 bearer tokens, refresh tokens, JSON Web Tokens (JWTs), API credentials, SFTP credentials, application passwords, employee information, third-party API keys, and other confidential business records.
If authentic, the exposed authentication materials could create serious security risks. Unlike ordinary passwords, compromised tokens may allow attackers to access systems without completing additional authentication steps. Those tokens may remain usable until administrators revoke or replace them.
The threat actor also claims the stolen information could support credential attacks, phishing campaigns, or financial fraud. It can also facilitate initial access operations that later develop into ransomware incidents. Criminal groups increasingly rely on these techniques to pressure victims during extortion campaigns.
Supply Chain Risks Continue to Challenge Organizations
The alleged breach highlights the growing dangers surrounding third-party suppliers and business partners. Many organizations exchange sensitive operational information with external vendors every day. A compromise affecting one supplier can create security problems across multiple connected businesses.
Modern supply chains often depend on shared credentials, cloud services, and application programming interfaces. Attackers frequently target vendors because one successful intrusion can expose several organizations simultaneously.
The value of such data is evident in other breach claims, a threat actor has claimed to be selling the personal data of 40 million Indian women, highlighting the lucrative market for stolen personal information.
Cybersecurity researchers continue urging caution when evaluating ransomware-related leak announcements. Threat actors sometimes exaggerate stolen data volumes or publish misleading information before independent investigators complete their analysis.
Investigation Continues as Verification Remains Pending
Grupo ATC has not released a public statement addressing the alleged incident at the time of writing. The companies identified by the threat actor have also remained silent regarding the claims. Until investigators validate the published data, security experts recommend treating the incident as an unverified allegation instead of a confirmed breach.
Organizations maintaining business relationships with Grupo ATC may still benefit from precautionary security reviews. Administrators should rotate privileged credentials, replace exposed API keys, monitor authentication logs, and inspect third-party connections for unusual activity while awaiting additional information.
The reported exposure continues attracting attention because of its alleged scale and the number of internationally recognized brands mentioned. If future investigations confirm the claims, the incident could receive much closer scrutiny from researchers, victims, and regulators.
For now, the reported leak remains only a claim made by a threat actor. Additional evidence from Grupo ATC or independent cybersecurity researchers will determine the next steps.