Toyota discloses accidental leak of some customers’ personal information

Toyota Motor Corporation discloses data leak, customers’ personal information may have been exposed after an access key was exposed on GitHub.

Toyota Motor Corporation warns customers that their personal information may have been accidentally exposed after an access key was publicly available on GitHub for almost five years.

The carmaker discovered recently that a portion of its T-Connect site source code was mistakenly published on GitHub.

T-Connect is an app developed by the company that allows car owners to control the vehicle’s infotainment system and monitor the access of the vehicle.

The code also contained an access key to the data server that stored customer info, such as email addresses and management numbers. The source code was leaked by a development subcontractor.

An unauthorized third party could have had access to the details of Toyota customers between December 2017 and September 15, 2022. The number of impacted customers is 296,019, the GitHub repository was restricted in September 2022 and the keys were changed.

Exposed records include customer names, credit card data, and phone numbers have not been compromised as they weren’t stored in the exposed database.

The Japanese automaker concludes that while there are no signs of data misappropriation, it cannot rule out the possibility of someone having accessed and stolen the data.

“As a result of an investigation by security experts, although we cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time we cannot completely deny it. We now have.” reads the notice published by the company.

The company announced that it will individually send an apology and notification to the impacted customers. Toyota also set up a special form on its website to allow customers to check whether their data was exposed.

Users of T-Connect who registered between July 2017 and September 2022 could be exposed to fraudulent activities, including scams. The carmaker recommends customers remain vigilant against potential scams.

The company is not aware of any abuse of the personal information of its customers.

“At this time, we have not confirmed any unauthorized use of personal information related to this matter, but it is possible that spam e-mails such as “spoofing” or “phishing scams” using e-mail addresses may be sent. If you receive a suspicious e-mail with an unknown sender or subject, there is a risk of virus infection or unauthorized access, so please do not open the file attached to the e-mail and delete the e-mail itself immediately.” continues the notice.

“In addition, please be careful when accessing the address (URL) described in the email. Please pay close attention to the following.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Toyota Motor Corporation)

[adrotate banner=”5″]

[adrotate banner=”13″]