Toyota discloses data leak after access key exposed on GitHub

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,672
Content source
https://www.bleepingcomputer.com/news/security/toyota-discloses-data-leak-after-access-key-exposed-on-github/
Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years.

Toyota T-Connect is the automaker's official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle's infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more.

Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers.

This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted.

On September 17, 2022, the database's keys were changed, purging all potential access from unauthorized third parties.

The announcement explains that customer names, credit card data, and phone numbers have not been compromised as they weren't stored in the exposed database.

Toyota blamed a development subcontractor for the error but recognized its responsibility for the mishandling of customer data and apologized for any inconvenience caused.

The Japanese automaker concludes that while there are no signs of data misappropriation, it cannot rule out the possibility of someone having accessed and stolen the data.

"As a result of an investigation by security experts, although we cannot confirm access by a third party based on the access history of the data server where the customer's email address and customer management number are stored, at the same time, we cannot completely deny it," - explains the notice (machine translated).

For this reason, all users of T-Connect who registered between July 2017 and September 2022 are advised to be vigilant against phishing scams and avoid opening email attachments from unknown senders claiming to be from Toyota.
Click to expand...
www.bleepingcomputer.com

Toyota discloses data leak after access key exposed on GitHub

Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
  • Wow
Reactions: MuzzMelbourne, vtqhtr413, silversurfer and 7 others
T

TedCruz

Level 5
Aug 19, 2022
176
Furyo said:
5¥ securitay!!
Toyota was hacked 3 times in 2019, 4 times in 2020, and 2 times in 2021.
Toyota got smacked with ransomware too. It shutdown their plant in Japan.
Click to expand...
In a few years, when self-driving cars finally join the road, imagine getting ransomware in your car which you have to pay $500 in order for the car to start again and self-drive your drunk arse from the pub to your house.

But then again I saw Time-Cop in 1994 and their self-driving cars and I really believed that self-driving will be right around the corner, and it's been that way for decades. Then Elon bought out from Martin Eberhard and Marc Tarpenning (NOT INVENTED, MIND YOU) the Tesla company and started promising self-driving right around the next update (that's been since 2016). Now the only obstacles that prevent Tesla from ever becoming a self-driving vehicle is small children and shadows, we all know that the world has none of that around.
 
  • Like
Reactions: Stopspying and show-Zi
F

ForgottenSeer 95367

TedCruz said:
In a few years, when self-driving cars finally join the road, imagine getting ransomware in your car which you have to pay $500 in order for the car to start again and self-drive your drunk arse from the pub to your house.
Click to expand...
That's gonna be a Gen Z problem. They probably won't cope well with it.
 
  • Like
  • HaHa
Reactions: Stopspying, show-Zi and TedCruz
Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,672
Toyota finds more misconfigured servers leaking customer info
Toyota Motor Corporation has discovered two additional misconfigured cloud services that leaked car owners' personal information for over seven years.

This finding came after the Japanese carmaker conducted a thorough investigation on all cloud environments managed by Toyota Connected Corporation after previously discovering a misconfigured server that exposed the location data of over 2 million customers for ten years.

"We conducted an investigation for all cloud environments managed by TOYOTA Connected Corporation (TC), It was discovered that a part of the data containing customer information had been potentially accessible externally," reads the new Toyota notice.

The first cloud service exposed the personal information of Toyota customers in Asia and Oceania between October 2016 and May 2023.

The database, which should have only been accessible to dealers and service providers, was publicly exposed, leaking the following customer information:
  • Address
  • Name
  • Phone number
  • Email address
  • Customer ID
  • Vehicle registration number
  • Vehicle Identification Number (VIN)
The Japanese carmaker has not clarified how many customers were impacted by this leak.

The second cloud instance was exposed between February 9th, 2015, and May 12th, 2023, and contained less sensitive data related to cars' navigation systems. This data includes the in-vehicle device ID (navigation terminal), map data updates, and data creation dates (no vehicle location data) of approximately 260,000 customers in Japan.

This leak impacted customers who subscribed to the G-BOOK navigation system with a G-BOOK mX or G-BOOK mX Pro and some who subscribed to G-Link / G-Link Lite and renewed their Maps using Toyota's on Demand service between February 9th, 2015, and March 31st, 2022.

The impacted vehicles are models of Toyota's sub-brand, Lexus, and include LS, GS, HS, IS, ISF, ISC, LFA, SC, CT, and RX cars sold between 2009 and 2015.

Toyota says that data entries were automatically deleted from the cloud environment after a while, so there was a limited amount of data exposed at any given moment.
Click to expand...
www.bleepingcomputer.com

Toyota finds more misconfigured servers leaking customer info

Toyota Motor Corporation has discovered two additional misconfigured cloud services that leaked car owners' personal information for over seven years.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
  • Wow
Reactions: Pixelman, upnorth, plat and 1 other person
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • Wow
    • +Reputation
    • Like
Privacy News Toyota warns customers of data breach exposing personal, financial info
Replies
0
Views
1,129
Security News
Gandalf_The_Grey
Gandalf_The_Grey
Ink
    • Wow
    • Like
    • HaHa
Microsoft leaks 38TB of private data
Replies
4
Views
1,544
News Archive
Jonny Quest
Jonny Quest
Gandalf_The_Grey
    • Like
    • +Reputation
Security News Mint Mobile discloses new data breach exposing customer data
Replies
0
Views
1,006
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top