Toyota reports a security breach due to an access key leak online

October 11, 2022
Toyota Security Breach Access Leak GitHub T-Connect Customer Database Data Mishandling

Researchers report that an access key for Toyota’s T-Connect app has been publicly exposed on GitHub for about five years, resulting in a massive data breach of the automaker’s customers’ sensitive information.

The Toyota T-Connect is a connectivity application for all Toyota car owners. This app allows the owner to link their smartphone with their car’s infotainment system to easily play music, answer calls, navigation, access driving data, notifications, engine and fuel status, and more.

In a recent discovery, Toyota discloses that a portion of the T-Connect app’s site source code was posted on GitHub, which contained an important access key to their customer database server. Because of this issue, threat actors obtained the automaker’s customer database, containing over 290,000 data between December 2017 to September 2022.

 

Upon discovering the access key leak issue, Toyota immediately restricted entry to the GitHub repository.

 

Toyota changed its databases’ keys and passwords on September 17, 2022, and has purged all potential access of unauthorised entities to the exposed GitHub repository. The automaker also informed its customers that their full names, financial data, and contact details are not included in the exposed database, thus clarifying security from compromise.

The automaker also added that this problem might have begun from a development subcontractor error. However, they stand responsible for compromising the customer data and apologised for any inconvenience that occurred.

There are no signs of data misuse for now, but the customers are still warned to stay vigilant as threat actors could still have stolen important data from the exposed GitHub repository. All T-Connect app users must be cautious as they are prone to phishing attacks. They were advised to avoid clicking on links from suspicious email or text message senders claiming to be a representative of Toyota.

Experts highlight that these kinds of security incidents in companies are commonly an error from the developers’ end, as they tend to include sensitive credentials in codes to make asset fetching, service access, and configuration updating easier and faster while they test application iterations.

Ultimately, once testing is completed, these credentials must be immediately removed to avoid the risk of a data leak. However, Toyota’s T-Connect app incident shows that many developers still make errors about data mishandling, exposing customers’ information to hackers.

About the author