Leaked Toyota Access Key On GitHub Exposed 300K Customer Email Addresses For 5 Years
According to Toyota’s statement on this matter, a subcontractor developing the T-Connect website mistakenly uploaded part of the website’s source code to the subcontractor’s own GitHub account. Toyota says that this action, which took place back in December 2017, violated its handling rules, but that it went unnoticed until September 15th of this year. Unfortunately, the source code uploaded to GitHub contained an access key for one of Toyota’s data servers holding customer information. A similar mistake in 2020 led to the massive Shanghai National Police data breach earlier this year.
If a third party actor did use the exposed access key to gain unauthorized access to the associated data server, Toyota says that the actor would have been able to see the email addresses and customer management numbers of T-Connect subscribers who registered their email addresses on the T-Connect user website. According to the company, the email addresses of 296,019 customers were potentially exposed in this way.
Fortunately, additional information like names, phone numbers, and credit card information was not exposed. That said, if a third party did access the data server and exfiltrated the list of subscriber email addresses, T-Connect subscribers could be subject to targeted phishing attacks. Toyota’s statement on this matter warns customers to be wary of suspicious emails. Toyota will be individually contacting customers who may have been affected by this potential exposure. The company’s statement also lists a phone number for a support line dedicated to this issue, as well as a link to a form customers can fill out to check whether their email address may have been affected.