Toyota Motor Co. has warned that nearly 300,000 customers may have had their data stolen in the third data breach related to the company this year.

The potential data breach was uncovered after it was found that an access key to Toyota T-Connect, the official Toyota connectivity app, was left publicly available on GitHub for the last five years. Some 296,019 customer records were discovered to have been exposed according to an Oct. 7 notice from Toyota (translated from Japanese), with customers who have registered with the service since July 2017 potentially affected.

Toyota noted that an investigation by security experts has not ascertained whether a third party had accessed the data using the published access key but added that it’s possible personally identifiable information was stolen. Potential data stolen includes email addresses and customer management numbers. Information such as name, phone number and credit card details were not exposed.

The potential data exposure was first discovered on Sept. 15, with the token live on GitHub from December 2017 through to its discovery. Toyota moved to restrict access the same day the access token was discovered, then changed the access key for the data server on Sept. 17.

While the breach may have only included email addresses and customer numbers, Toyota warned that the data, if it has been stolen, could be used in phishing and spoofing emails. Toyota customers are advised to be wary of emails with an unknown sender or subject.

The potential breach is the third security-related incident involving Toyota and its suppliers this year. In March, Toyota was forced to halt manufacturing operations at all of its plants in Japan after a cyberattack struck a major component supplier. The supplier, Kojima, is directly connected to Toyota via Toyota’s kanban just-in-time production control system and hence there was concern that the attack could also spread to Toyota’s system.

In April, data was stolen from Denso Corp., a global automotive manufacturer based in Japan that is also 25% owned by Toyota. The Pandora ransomware gang claimed responsibility and said it had stolen 1.4 terabytes of data belonging to Toyota.

“This is a very common password theft scenario,” Roger Grimes, data-driven defense evangelist at security awareness training company KnowBe4 Inc., told SiliconANGLE. “It’s been estimated that hundreds of thousands of exposed passwords are up on GitHub waiting for anyone who can access the source code to reveal it. Example projects have revealed that passwords located in code uploaded to GitHub have been accessed and used against the victim in less than 30 minutes. It’s a big problem.”

Jason Kent, hacker in residence at unified application programming interface protection provider Cequence Security Inc., noted that Toyota’s processes are partially to blame. “Though security experts recommend periodic rotation of API keys, Toyota took a slightly different tactic and allowed the same key, the one exposed in source code, to be used for five years,” Kent explained. “From 2017 to 2022, that key dutifully provided administrative access to anyone that knew it.”

As a Toyota owner, he added, it’s possible that the email associated with his connected services has been learned. “The next possible step is to take over that account, learn the location of my vehicle and potentially unlock it or steal it,” he said.

Photo: Shuets Udono/Wikepedia Commons