“It’s relatively recently that C-level executives have begun to acknowledge that some of their third-party relationships are creating unbelievable risk,” said Larry Ponemon, the research firm’s founder.

The auto industry has a deep and complex supply chain, and third-party security risk is an area of growing concern, said Faye Francy, the executive director of the Automotive Information Sharing and Analysis Center, a trade group that focuses on cybersecurity.

Generally, automakers’ top security priority is vehicle risks, she said, such as vulnerabilities that could be used to attack a car’s critical components. Leaked corporate documents aren’t quite as fraught — “I doubt anyone is going to die over it,” Ms. Francy said — but the exposure of such information is still worrying.

“No one wants their data outside of their own company,” she said. “Anything that showcases how they manufacture is proprietary and competitive.”

Mr. Vickery, the director of cyber risk research at UpGuard, a security services company in Mountain View, Calif., has made a career out of hunting unguarded data caches.

He’s a rarity in the industry: a security sleuth who doesn’t hack. Instead, he searches communication ports and the internet’s hive of connected devices to find information inadvertently made public. His discoveries have included medical records, airport security files, hotel bookings, a terrorist screening database and 87 million Mexican voter registration records. Once the sensitive information has been secured, he publicly discloses that the data had been revealed.

Mr. Vickery found Level One’s data through an exposed backup server. It required no password or special access permissions, he said. Anyone who connected could download the material, which totaled at least 157 gigabytes and contained nearly 47,000 files filled with factory records and diagrams from companies including Fiat Chrysler, Ford, General Motors, Tesla, Toyota and Volkswagen.