Skip links

Toyota dev left key to customer info on public GitHub page for five years

Toyota has admitted it put 296,019 email addresses and customer management numbers of folks who signed up for its T-Connect assistance website at risk of online theft by bungling its security.

The automaker’s Japanese newsroom carries an apology for the privacy snafu, in which it explains an outsourced developer tasked with building T-Connect uploaded the source code for the site to a GitHub public repo in December 2017.

Nobody noticed that until September 15, 2022.

Once Toyota looked at that source code, the manufacturing giant realized this public-facing code repository contained an access key to a server that stored customer data. That server was therefore also open to the world.

Upon discovering the GitHub repo, Toyota immediately made it private. Two days later the company changed the access key to the data server.

The Japanese giant commissioned an investigation into the blunder and was unable to confirm or deny whether miscreants had spotted and used the key to pilfer data from the server.

T-Connect offers features such as smartphone based digital keys to unlock Toyota vehicles, navigation services, and remote starting.

Thankfully, the customer management numbers stored on the server aren’t much use to third parties. But email addresses are – especially if criminals decide to fire up some Toyota-themed phishing. The automaker has therefore warned T-Connect users to scrutinize incoming emails carefully.

Perhaps the car maker needs to scrutinize its own affairs more closely too, given it experienced a cyberattack in March 2022 that shuttered its plants, sold cars susceptible to losing wheels while in motion, and faked emissions data at truck-making subsidiary Hino.

Oh, what a set of failings. ®

Source