Toyota data leak disclosed after exposure of access key on GitHub.
Toyota Motor Corporation has disclosed a data breach of customers' personal information exposed due to its access key, which was made publicly available on GitHub for almost five years. The access key is a part of the Toyota T-Connect site source code which has been published mistakenly on GitHub. The key can access the data server that stores customer email addresses and management numbers.
The access key mistakenly made available on GitHub allowed an unauthorized party to access the database that stored details of 296,019 customer records from December 2017 until September 2022. On 17th September 2022, the database access keys were changed, purging all possible access from unauthorized third parties.
Toyota explains in the announcement that confidential data like customer names, credit card data, and phone numbers have not been compromised as they were not stored in the exposed database. Toyota blames the development subcontractor of T-Connect for the data breach incident and apologizes for the inconvenience caused.
Security experts investigated the incident and confirmed access by the third party based on the activity history on the data server where the customer email address and management numbers were stored. Due to this incident, all users of T-Connect who were registered between July 2017 and September 2022 are advised to be careful of phishing email scams that claim to be from Toyota.
In light of this incident, security incident of such has become a large-scale problem that makes large collections of sensitive data at risk of exposure. Symantec security analysts have discovered nearly 2,000 mobile application contains credentials of the AWS servers hard coded into the application. These credentials are usually stored in the application during development. Due to neglicence from developers, they tend to forget to remove those credentials.
Due to repetitive case of such incidents, GitHub has begun developing a method to scan for passwords in a code that is published. When a secret authentication key is detected, GitHub will block the secret code from being commited. GitHub will not be ble to detect this if the appliction uses non-standard or custom access keys.
About the Author
Ruben George