Breachwire.riscent

Breach report

Toyota T-Connect: a hardcoded access key sat public on GitHub for five years

Web Application BreachesHigh (credential exposure, ~296k customers)2022-10
The bottom lineA subcontractor published Toyota T-Connect source code to a public GitHub repository with a database access key embedded, leaving customer data reachable for roughly five years and exposing about 296,000 customers' details.
Category
Web Application Breaches
Type
Named breach · Hardcoded credential exposure
Date
2022-10
Severity
High (credential exposure, ~296k customers)
OWASP
Web A02 Security Misconfiguration
CWE / CVE
CWE-798

What happened

T-Connect is Toyota's connected-vehicle app, which lets owners link their cars to phone and infotainment services. On October 10, 2022, Toyota disclosed that part of the T-Connect source code had been mistakenly published to a public GitHub repository by a development subcontractor — with an access key to a customer-data server embedded in it. The credentials were reachable from December 2017 to September 15, 2022, roughly five years, before Toyota discovered the exposure and changed the keys on September 17, 2022.

The exposed data covered about 296,019 customers — email addresses and customer management numbers. Names, credit-card data, and phone numbers were not involved. Toyota said it "cannot completely deny" that a third party accessed the data, though server logs showed no confirmed unauthorized access, and it warned affected users to watch for phishing.

Root cause

A hardcoded credential shipped in source code and was pushed to a public repository — CWE-798, use of hard-coded credentials, an instance of OWASP's Security Misconfiguration. Developers commonly embed a key during testing and fail to strip it before publishing; here that oversight left a live server key readable by anyone for years.

How it would have been caught

Secret scanners (GitHub secret scanning, gitleaks, trufflehog) detect committed access keys at push time, and pre-commit hooks block the commit before it ever reaches a public remote. A reproduction runs the scanner against the repository history and confirms it flags the live key — and that the key still authenticates to the server.

How to prevent it

  • Keep secrets out of source entirely — use environment variables or a secrets manager, and scan every commit and the full history.
  • Rotate any credential the moment it touches a repository; assume public exposure means compromise.
  • Scope keys to least privilege so a leaked credential cannot read an entire customer database.

The Breachwire test (red → green)

Run the secret scanner over the repo and confirm it finds the committed access key, and that the key authenticates to the data server — the RED control. Remove the secret, rotate the key, and move it to a secrets manager, then confirm the scanner reports clean and the old key no longer authenticates.