Automotive Corporation Toyota disclosed information about a possible leak of the user base of the T-Connect mobile application, which allows you to integrate your smartphone with the car's information system. The incident was caused by the publication on GitHub of a part of the source texts of the T-Connect website, which contained an access key to the server that stores personal data of clients. The code was mistakenly published to a public repository in 2017, and until mid-September 2022, the leak went unnoticed.
Using the published key, attackers could gain access to a database containing email addresses and control codes of more than 269 users of the T-Connect application. Analysis of the situation showed that the cause of the leak was the error of the subcontractor involved in the development of the T-Connect website. It is alleged that no traces of unauthorized use of the key placed in the public domain have been identified, but the company cannot completely exclude the contents of the database from falling into the hands of outsiders. After the problem was identified on September 17, the compromised key was replaced with a new one.
Source: opennet.ru