Toyota Motor Corporation warned last week that customers’ personal information may have been exposed after an access key was publicly available on GitHub for close to five years.
Toyota recently discovered that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.
T-Connect is the Japanese automaker’s official connectivity app that allows owners of Toyota vehicles to link their smartphone with the vehicle’s system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more.
This accidental publishing on GitHub made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted.
On Sept. 17, 2022, Toyota changed the database’s keys and eliminated all potential access from unauthorized third parties.
However, the Japanese automaker’s announcement last week explained that customer names, credit card data, and phone numbers weren’t compromised since they weren’t stored in the exposed database.
While Toyota blamed a development subcontractor for the error, it recognized its responsibility for mishandling customer data and apologized for any inconvenience caused.
The automaker concluded that while there were no signs of data misappropriation, it still couldn’t rule out the possibility of someone accessing and stealing the data.
“As a result of an investigation by security experts, although we cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time, we cannot completely deny it,” Toyota added in its notice (translated).
That said, all users of T-Connect who registered between July 2017 and September 2022 were advised to stay alert against phishing scams and to avoid opening any email attachments from unknown senders claiming to be from Toyota.