Breach report
Toyota T-Connect: a hardcoded access key sat public on GitHub for five years
What happened
T-Connect is Toyota's connected-vehicle app, which lets owners link their cars to phone and infotainment services. On October 10, 2022, Toyota disclosed that part of the T-Connect source code had been mistakenly published to a public GitHub repository by a development subcontractor — with an access key to a customer-data server embedded in it. The credentials were reachable from December 2017 to September 15, 2022, roughly five years, before Toyota discovered the exposure and changed the keys on September 17, 2022.
The exposed data covered about 296,019 customers — email addresses and customer management numbers. Names, credit-card data, and phone numbers were not involved. Toyota said it "cannot completely deny" that a third party accessed the data, though server logs showed no confirmed unauthorized access, and it warned affected users to watch for phishing.
Root cause
A hardcoded credential shipped in source code and was pushed to a public repository — CWE-798, use of hard-coded credentials, an instance of OWASP's Security Misconfiguration. Developers commonly embed a key during testing and fail to strip it before publishing; here that oversight left a live server key readable by anyone for years.
How it would have been caught
Secret scanners (GitHub secret scanning, gitleaks, trufflehog) detect committed access keys at push time, and pre-commit hooks block the commit before it ever reaches a public remote. A reproduction runs the scanner against the repository history and confirms it flags the live key — and that the key still authenticates to the server.
How to prevent it
- Keep secrets out of source entirely — use environment variables or a secrets manager, and scan every commit and the full history.
- Rotate any credential the moment it touches a repository; assume public exposure means compromise.
- Scope keys to least privilege so a leaked credential cannot read an entire customer database.
The Breachwire test (red → green)
Run the secret scanner over the repo and confirm it finds the committed access key, and that the key authenticates to the data server — the RED control. Remove the secret, rotate the key, and move it to a secrets manager, then confirm the scanner reports clean and the old key no longer authenticates.