Keys to Toyota customer information omitted from GitHub for years • The Register

Toyota has admitted it put 296,019 email addresses and account numbers of people who signed up for its T-Connect support site at risk of online theft by botching its security.

The automaker’s Japanese newsroom apologizes for the privacy snafu, which explains that an outsourced developer tasked with building T-Connect uploaded the source code for the website to a public GitHub repo in December 2017 .

Nobody noticed that until September 15, 2022.

When Toyota looked at this source code, the manufacturing giant realized that this publicly available code repository contained an access key to a server that stored customer data. This server was therefore also open to the world.

When Toyota discovered the GitHub repo, it immediately made it private. Two days later, the company changed the access key to the data server.

The Japanese giant commissioned an investigation into the bug and could neither confirm nor deny whether rogues had discovered the key and used it to steal data from the server.

T-Connect offers features such as smartphone-based digital keys for unlocking Toyota vehicles, navigation services and remote start.

Fortunately, the customer management numbers stored on the server are not of much use to third parties. But email addresses are — especially when criminals decide to launch Toyota-themed phishing. The car manufacturer therefore warns T-Connect users to check incoming e-mails carefully.

The automaker may also need to take a closer look at its own affairs, as it faced a cyberattack in March 2022 that shut down its factories, sold cars that were prone to wheel failure while driving, and falsified emissions data at truck subsidiary Hino.

Oh what a bunch of mistakes. ® Keys to Toyota customer information omitted from GitHub for years • The Register

Rick Schindler

World Time Todays is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – The content will be deleted within 24 hours.

Related Articles

Back to top button