Leaked Toyota Access Key On GitHub Exposed 300K Customer Email Addresses For 5 Years
Toyota, the world’s largest car company, recently discovered that an access key for one of its data servers has been publicly available on GitHub for almost five years, exposing the data on this server to potential unauthorized third party access. The data server in question stores information related to subscribers of Toyota’s T-Connect service. Upon discovering that the access key was publicly available on GitHub, Toyota promptly made the source code containing the key private. The company also changed the access key for the relevant data server to prevent anyone who obtained the key from GitHub from accessing the server going forward.
According to Toyota’s statement on this matter, a subcontractor developing the T-Connect website mistakenly uploaded part of the website’s source code to the subcontractor’s own GitHub account. Toyota says that this action, which took place back in December 2017, violated its handling rules, but that it went unnoticed until September 15th of this year. Unfortunately, the source code uploaded to GitHub contained an access key for one of Toyota’s data servers holding customer information. A similar mistake in 2020 led to the massive Shanghai National Police data breach earlier this year.
According to Toyota’s statement on this matter, a subcontractor developing the T-Connect website mistakenly uploaded part of the website’s source code to the subcontractor’s own GitHub account. Toyota says that this action, which took place back in December 2017, violated its handling rules, but that it went unnoticed until September 15th of this year. Unfortunately, the source code uploaded to GitHub contained an access key for one of Toyota’s data servers holding customer information. A similar mistake in 2020 led to the massive Shanghai National Police data breach earlier this year.
However, while an unauthorized third party potentially could have used the Toyota access key to connect to the associated data server and access customer information, the company cannot currently confirm or deny that such a data breach took place. Five years is a long time for an access key to be publicly available on the open web. Nonetheless, it’s still entirely possible that Toyota and its customers were lucky and no one discovered the access key or used it to connect to the company’s data server.
If a third party actor did use the exposed access key to gain unauthorized access to the associated data server, Toyota says that the actor would have been able to see the email addresses and customer management numbers of T-Connect subscribers who registered their email addresses on the T-Connect user website. According to the company, the email addresses of 296,019 customers were potentially exposed in this way.
Fortunately, additional information like names, phone numbers, and credit card information was not exposed. That said, if a third party did access the data server and exfiltrated the list of subscriber email addresses, T-Connect subscribers could be subject to targeted phishing attacks. Toyota’s statement on this matter warns customers to be wary of suspicious emails. Toyota will be individually contacting customers who may have been affected by this potential exposure. The company’s statement also lists a phone number for a support line dedicated to this issue, as well as a link to a form customers can fill out to check whether their email address may have been affected.
If a third party actor did use the exposed access key to gain unauthorized access to the associated data server, Toyota says that the actor would have been able to see the email addresses and customer management numbers of T-Connect subscribers who registered their email addresses on the T-Connect user website. According to the company, the email addresses of 296,019 customers were potentially exposed in this way.
Fortunately, additional information like names, phone numbers, and credit card information was not exposed. That said, if a third party did access the data server and exfiltrated the list of subscriber email addresses, T-Connect subscribers could be subject to targeted phishing attacks. Toyota’s statement on this matter warns customers to be wary of suspicious emails. Toyota will be individually contacting customers who may have been affected by this potential exposure. The company’s statement also lists a phone number for a support line dedicated to this issue, as well as a link to a form customers can fill out to check whether their email address may have been affected.
