The vulnerability is due to a developer tasked with building the T-Connect platform uploading the site’s source code to a GitHub public repository in December 2017. Upon inspection of the publicly available source code by Toyota officials, it was discovered that the source code contained an access key to a server that stores customer data. Immediately after the vulnerable GitHub repository was discovered, Toyota officials made it private, and the exposed access key was replaced.
Toyota has launched an investigation into the vulnerability, but there is no evidence yet whether threat actors used the vulnerability to capture data from the server. It is recommended that T-Connect users with the potential to be affected by the breach be aware of the data that may be leaked to the internet regarding spear-phishing/Social engineering attacks and change the login information registered to the platform by applying strong password policies.