Toyota has admitted to having mistakenly left a database of 300,000 customer emails unsecure, implying that anyone had access to private information.
Toyota''s proprietary connectivity app has been impacted by the leak, which allows drivers to connect their smartphones with the vehicle, and to make calls, listen to music, use the navigation system and others.
T-Connect had a portion of its site source code on GitHub, apparently by mistake, and that portion contained an access key to the data server (opens in a new tab) that included customer email addresses and management numbers. It didn''t store customer names, credit card information, phone numbers, or other information that might be used for identity theft.
Ripe for phishing
However, having a mailing address is sufficient to avoid a phishing attack.
Despite the fact that the database contained around 300,000 email addresses, it was put on the open from December 2017, until mid-September 2022, when Toyota finally managed to limit access to the repository. Two days later, the keys were changed, meaning the individual who used them to access the database was no longer permitted to do so.
Despite putting the blame on a development contractor, Toyota took responsibility for the incident and apologized to its users.
The company claims there is no evidence of unauthorized handling of data, but it is still warning users to be cautious of any potential phishing attacks, as it cannot claim otherwise with absolute certainty.
"At the conclusion of an investigation by security experts, although we cannot confirm access by a third party based on the access history of the data server where the customer''s email address and customer management number are stored, we cannot completely deny it, the statement states.
The possibility that Toyota wll may receive regulatory fines as a result of the incident remains to be seen.