Toyota has stated that a security vulnerability has been identified that compromises the 296,019 email addresses and customer management numbers of registered persons on the T-Connect help platform. T-Connect is a support platform for unlocking Toyota vehicles that offers features such as smartphone-based digital keys, navigation services, and remote start.
The vulnerability is due to a developer tasked with building the T-Connect platform uploading the site’s source code to a GitHub public repository in December 2017. Upon inspection of the publicly available source code by Toyota officials, it was discovered that the source code contained an access key to a server that stores customer data. Immediately after the vulnerable GitHub repository was discovered, Toyota officials made it private, and the exposed access key was replaced.
Toyota has launched an investigation into the vulnerability, but there is no evidence yet whether threat actors used the vulnerability to capture data from the server. It is recommended that T-Connect users with the potential to be affected by the breach be aware of the data that may be leaked to the internet regarding spear-phishing/Social engineering attacks and change the login information registered to the platform by applying strong password policies.