Toyota has admitted it mistakenly left a database of around 300,000 customer emails unsecured online, meaning anyone could have accessed private information.
The leak appears to have affected Toyota’s proprietary connectivity app, which allows drivers to connect their smartphones with the car, and use the in-car system to make calls, listen to music, use the navigation system, and similar.
This app, called T-Connect, had a portion of its site source code published on GitHub, apparently by mistake, and that portion held an access key to the data (opens in new tab) server that stored customer email addresses and management numbers. It didn’t store customer names, credit card data, phone numbers, or other data that could be used for identity theft.
Ripe for phishing
An email address is enough to launch a phishing attack, though.
Still, the database contained just shy of 300,000 email addresses and was left in the open from December 2017, until mid-September 2022, when Toyota finally managed to restrict access to the repository. Two days later, the keys were changed, meaning whoever used them to access the database was no longer able to do so.
While Toyota laid the blame on a development subcontractor, it did take responsibility for the mishap and apologized to its users.
The company says there is no evidence of anyone mishandling the data, but still warned customers to be wary of any potential phishing attacks, as it can’t claim otherwise with absolute certainty, either.
“As a result of an investigation by security experts, although we cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time, we cannot completely deny it,” the announcement reads.
Whether or not Toyota wll now face any regulatory fines arising from the incident remains to be seen.
Via: BleepingComputer (opens in new tab)
