>
Toyota has admitted that it mistakenly left a database of about 300,000 customer emails unsecured online, meaning anyone could have accessed private information.
The leak appears to have impacted Toyota’s own connectivity app, which allows drivers to connect their smartphones to the car and use the in-car system to make calls, listen to music, use the navigation system and the like.
This app, called T-Connect, had some of the site’s source code published on GitHub, apparently by accident, and that part had an access key to the data (opens in new tab) server that stored customer email addresses and management numbers. It did not store customer names, credit card information, phone numbers, or other data that could be used for identity theft.
Ripe for phishing
However, an email address is enough to carry out a phishing attack.
Still, the database contained only 300,000 email addresses and remained open from December 2017 to mid-September 2022, when Toyota finally managed to restrict access to the repository. Two days later, the keys were changed, meaning whoever used them to access the database could no longer do so.
Although Toyota blamed a development subcontractor, it took responsibility for the accident and apologized to its users.
The company says there’s no evidence anyone misused the data, but warned customers to be wary of potential phishing attacks, as it can’t claim otherwise with absolute certainty.
“As a result of an investigation by security experts, while we cannot confirm access by a third party based on the access history of the data server where the customer’s email address and customer management number are stored, at the same time we cannot completely deny it”, reads the announcement.
It remains to be seen whether or not Toyota will face fines as a result of the incident.
Through: BleepingComputer (opens in new tab)