Contents:
The Japanese automaker, Toyota, informed its customers that their personal information may have been exposed. The automaker discovered that a portion of the site source code of their Toyota T-Connect app was mistakenly published on GitHub and stayed publicly available for five years.
Toyota T-Connect is the automaker’s official connectivity app, which enables owners of Toyota vehicles to connect their smartphones to the infotainment system of their vehicles for phone calls, music, navigation, notifications integration, driving data, engine condition, fuel usage, and more.
The Data of Almost 300,000 Customers Compromised
The leak made it possible for an unauthorized third party to access a database containing the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted.
The Japanese automaker issued an official apology and it also accepted responsibility for the improper management of consumer data. BleepingComputer cites that Toyota attributed the error to a development subcontractor. In the apology, Toyota also mentioned that although there were no signs of data misappropriation, it cannot rule out the possibility of someone having accessed and stolen the data.
Personal information that may be leaked are e-mail addresses and customer control numbers, there is no possibility of leakage of names, telephone numbers, credit cards, and other information such as “T-Connect” service itself.
Passwords Forgotten in the Code
Numerous sensitive data sets are at risk of disclosure due to the large-scale problem that this kind of security incident has become. Reports indicate that nearly 2,000 applications for iOS and Android contain hard-coded AWS credentials in their code.
This is frequently the result of developer carelessness, as credentials were stored in the code to facilitate rapid and easy asset retrieval, service access, and configuration updating during testing of many app iterations. This scenario also applied to the T-Connect app.
Due to this persistent issue, GitHub has started to check published code for secrets and stop commits that include authentication keys. However, GitHub won’t be able to recognize them by default if a developer uses unique access keys or custom tokens.
The database’s keys were updated on September 17, 2022, eliminating any potential access from unauthorized parties.
Toyota advises its customers to be careful, as it is possible to receive unsolicited e-mails in spoofing or phishing attacks. If you receive a suspicious e-mail, avoiding accessing any links or downloading any attachments from it.
If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.