Toyota has admitted that it mistakenly left a database of about 300,000 customer emails unlocked on the Internet, which means anyone can access private information.
The leak appears to have affected Toyota’s proprietary connectivity app, which allows drivers to link their smartphones to the car, use the in-vehicle system to make calls, listen to music, use the navigation system, and the like.
This app, called T-Connect, contained a portion of the site’s source code posted on GitHub, apparently by mistake, and that portion contained an access key to data (Opens in a new tab) The server that stored clients’ email addresses and administration numbers. It does not store customer names, credit card data, phone numbers, or other data that could be used for identity theft.
It’s trolling time
However, an email address is sufficient to launch a phishing attack.
However, the database contained only 300,000 email addresses and was left open from December 2017, until mid-September 2022, when Toyota was finally able to restrict access to the repository. Two days later, the keys were changed, which means that anyone using them to access the database can no longer do so.
While Toyota blamed a subcontractor for the development, it took responsibility for the accident and apologized to its users.
The company says there is no evidence that anyone is mishandling the data, but it still cautions customers to be wary of any potential phishing attacks, as it can’t claim otherwise with absolute certainty either.
“As a result of the investigation by security experts, although we cannot confirm third-party access based on the access log of the data server where the client’s email address and client management number are stored, at the same time, we cannot completely refuse,” the announcement reads.
It remains to be seen if Toyota wll now faces any regulatory purposes arising from the incident.
Across: Computer (Opens in a new tab)