Toyota, a Japanese automaker, has identified a security breach involving source code stored on GitHub that may have given third parties access to some 300,000 customer email addresses.
According to the firm, the event affects users who subscribe to the T-Connect website. This service offers consumers automobile management tools like finding my car, maintenance reminders, concierge services, vehicle information, and a mobile application.
The automaker reveals in a data breach warning that a subcontractor uploading Toyota source code to a GitHub repository unintentionally set to public access was the primary cause of the data loss.
Between December 2017 and September 2022, when open access to the repository was terminated, the source code was online due to this configuration error.
According to the business, the source code held the password for a server that held client data such as email addresses and management numbers (given to each user automatically).
Toyota claims that as soon as it became aware of the data leak, it quickly made the GitHub repository private and modified the server access key.
The company claims it has begun issuing apologetic letters to over 296,000 clients to alert them of the potential exposure of their email addresses. Still, it has not been able to determine whether any third party has used the access key to connect to the server.
No additional customer data, such as names, addresses, phone numbers, or credit card information, was harmed by the issue because no such information was kept on the server that may have been exposed. Additionally unaffected were email addresses for MyToyota apps or Lexus car email addresses.
The automaker adds that even though there is no proof that the compromised email addresses were misused, affected customers should be looking for phishing emails and other scams.
Users can visit a specific page on Toyota’s website to see if their email address was disclosed due to the incident.
The automaker had to halt operations at all 14 of its plants in Japan in February 2022 due to a suspected cyberattack.
Source : HackerCombat