The leak only revealed users’ email addresses and customer management numbers. It did not expose other personal details like their names, phone numbers, or credit card details. According to Toyota, the developer of its T-Connect website mistakenly published the site’s source code on GitHub in December 2017. This code apparently contains the key to its server, allowing unauthorized third parties to access customers’ private data. “Starting today, we will individually send an apology and notification to the registered email address of any customer whose email address or customer management number may have been leaked,” the company said in a statement (update October 13th 2022: Toyota seems to have taken down the statement from its website).
296,019 Customers Affected
This leak affects Toyota customers — 296,019 in total — who have signed up for the T-Connect app since July 2017, the company said. The T-Connect app allows users to interact with their car’s infotainment system for navigation, music, phone calls, and vehicle metrics. Toyota apologized for the incident. According to the company, the contractor violated its data handling rules by uploading the source code of its T-Connect website on GitHub and making it publicly accessible. The company only discovered the leaked access key last month and quickly made the source code private on GitHub. At the moment, it is impossible to tell if any unauthorized parties accessed the data over the past five years. Toyota has launched an investigation into the incident. The company pointed out that this leak doesn’t affect users of its other apps, as their data is “handled differently.” Meanwhile, Toyota has created a form that allows users to check if their data was exposed. The company has also set up a call center to provide more information about the incident.
Risk of Phishing Attacks
While no financial information was exposed, the leaked emails may be used for targeted phishing attacks, Toyota said. Hackers can take advantage of leaked addresses to send phishing emails with malware or dangerous links and attachments. “If you receive a suspicious e-mail with an unknown sender or subject, there is a risk of virus infection or unauthorized access, so please do not open the file attached to the e-mail and delete the e-mail itself immediately,” the company advised. Toyota has been caught in several cyber incidents this year. In February, a ransomware attack forced the company’s supplier, Kojima Industries Corp., to shut down its factories. A month later, another Toyota car parts supplier, DENSO, was the victim of a ransomware attack. If your email was one of the thousands left exposed, check out our guides on phishing and identity theft to learn how to protect yourself from any resulting attacks.