Toyota Motor Corporation is warning that customers’ personal information may have been exposed after an access key was publicly available on GitHub for almost five years.
Toyota T-Connect is the automaker’s official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle’s infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more.
Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.
This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted.
On September 17, 2022, the database’s keys were changed, purging all potential access from unauthorized third parties.
The announcement explains that customer names, credit card data, and phone numbers have not been compromised as they weren’t stored in the exposed database.
Toyota blamed a development subcontractor for the error but recognized its responsibility for the mishandling of customer data and apologized for any inconvenience caused.
The Japanese automaker concludes that while there are no signs of data misappropriation, it cannot rule out the possibility of someone having accessed and stolen the data.
“As a result of an investigation by security experts, although we cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time, we cannot completely deny it,” – explains the notice (machine translated).
For this reason, all users of T-Connect who registered between July 2017 and September 2022 are advised to be vigilant against phishing scams and avoid opening email attachments from unknown senders claiming to be from Toyota.
Forgetting passwords in the code
This type of security incident has become a large-scale problem that places troves of sensitive data at risk of exposure.
In September, Symantec’s security analysts unveiled that nearly 2,000 applications for iOS and Android contain hard-coded AWS credentials in their code.
This is typically the result of developer negligence, storing credentials in the code to make asset fetching, service access, and configuration updating quick and easy while testing multiple app iterations.
These credentials should be removed when the software is ready for actual deployment, but unfortunately, as the case of the T-Connect app shows, this isn’t always done.
However, if a developer uses non-standard access keys or custom tokens, GitHub will not be able to detect them by default.