Recently, reports surfaced that private information of almost 300,000 Toyota customers has been compromised. The automaker has now learned that the leak may have occurred due to the public availability of its access key on GitHub, which they didn’t know about for five years.
It bears mentioning that all information leak victims are T-Connect users. T-Connect is Toyota’s own connectivity app that enables motorists to connect their smartphones to the vehicle’s infotainment system.
The company recently realized that someone had inadvertently uploaded T-Connect website’s source code on GitHub. This code had an access key to the data server which kept customer email addresses and management numbers.
This allowed an unauthorized third party access to the information of 296,019 customers between December 2017 and September 15, 2022. On September 17, 2022, someone changed the database keys, eliminating the possibility of unauthorized access.
The automaker clarified that the hackers did not get access to client names, credit card information, and telephone numbers as they were in a different database.
Toyota attributed the issue to a development subcontractor but acknowledged its responsibility for the error. The company has issued a public apology for the inconvenience.
Even though there are no indications of data theft, the Japanese manufacturer cannot discount that possibility. The notification reads:
As a result of an investigation by security experts, although we cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time, we cannot completely deny it.
The carmaker has asked all T-Connect users who enrolled between July 2017 and September 2022 to be careful against any suspicious ping or emails.
