Toyota Discloses Data Leak After Access Key Exposed On GitHub (bleepingcomputer.com) 9
An anonymous reader quotes a report from BleepingComputer: Toyota Motor Corporation is warning that customers' personal information may have been exposed after an access key was publicly available on GitHub for almost five years. Toyota T-Connect is the automaker's official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle's infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more. Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers. This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted.
On September 17, 2022, the database's keys were changed, purging all potential access from unauthorized third parties. The announcement explains that customer names, credit card data, and phone numbers have not been compromised as they weren't stored in the exposed database. Toyota blamed a development subcontractor for the error but recognized its responsibility for the mishandling of customer data and apologized for any inconvenience caused. The Japanese automaker concludes that while there are no signs of data misappropriation, it cannot rule out the possibility of someone having accessed and stolen the data. For this reason, all users of T-Connect who registered between July 2017 and September 2022 are advised to be vigilant against phishing scams and avoid opening email attachments from unknown senders claiming to be from Toyota.
On September 17, 2022, the database's keys were changed, purging all potential access from unauthorized third parties. The announcement explains that customer names, credit card data, and phone numbers have not been compromised as they weren't stored in the exposed database. Toyota blamed a development subcontractor for the error but recognized its responsibility for the mishandling of customer data and apologized for any inconvenience caused. The Japanese automaker concludes that while there are no signs of data misappropriation, it cannot rule out the possibility of someone having accessed and stolen the data. For this reason, all users of T-Connect who registered between July 2017 and September 2022 are advised to be vigilant against phishing scams and avoid opening email attachments from unknown senders claiming to be from Toyota.
Who needs skilled black hats (Score:2)
Companies seem to do all the hard work for them.
Ulterior Motive... (Score:2)
Here's another way of looking at this; a company looking to claim negligence under a blanket statement dating back many many years.
Yeah, I know we all want to more view them as a company looking to step up and voluntarily disclose a data breach of customer information, but back-peddling the date that far tends to raise a question or five...
Re: (Score:2)
That's why you don't share anything with the HU. You either use carplay or auto, or only link the audio. Keep all your data on your phone, don't let the HU have any.
Massive Mismanagement (Score:2)
Sorry, but the problem is WAY bigger than a "subcontractor messed up." Heads are gonna roll for this.
Re: (Score:3)
This is the same Toyota where when they were accused of unintended acceleration a code review found that there were multiple code paths which could cause that, which were caused in part by Toyota engineers not in fact following Toyota's own coding standards, let alone well-established industry standards.
I would imagine that this is pretty much how they operate in general...
I drove a Toyota rental recently (Score:2)
Re: (Score:2)
They tolerate it because over the last two decades they have been slowly trained to accept such things. It's that simple.