Japanese automaker Toyota apologised to its customers for a possible data leak due to the company’s source code being posted on GitHub for over three years. This notice referred to the users who had signed up for the T-Connect smartphone app, which links to their vehicles. The T-Connect app offers features like immediately connecting to its call center in case of an emergency, alerting of malfunctions in the vehicle, showing driving range, mileage, etc.
Although there have been no cyberattacks reported by its customers so far, the company apologized for the improper handling of its source code that could have exposed them to hackers. A translated copy of the notice read, “E-mail addresses and customer management numbers of some customers who have signed up for T-Connect (For management purposes, each customer number assigned), 296,019 cases were found to have been leaked.”
It further stated that customers who registered had their email addresses on the app after July 2017 might have been exposed. However, the attacks depend on the possibility of a cybercriminal finding the source code and misusing it.
How the issue came to light
On September 15, 2022, Toyota came across published material on GitHub that contained T-Connect site source code. As a result, it was revealed that from December 2017 to September 15, 2022, a third party was able to access part of the source code on GitHub,” the notice read. The source code contained access keys to its data server that would allow a hacker access to email addresses and customer management numbers. On September 15, the GitHub data was made private; on September 17, the company changed the access key of the data server with other necessary preventive steps.
As per the report, the code was mistakenly published in December 2017, and the company blamed a development subcontractor for posting it on their GitHub account. The motor company further said they would write to users individually in case any illegal activity is detected. They also urged customers to beware of unsolicited links and activities that may be malicious and could cause data loss or other customer issues.