Japanese automaker Toyota suffered a breach of customer records after a hacker obtained credentials for one of its servers from source code published on GitHub by a website development subcontractor. The third party “mistakenly uploaded part of the source code to their GitHub account while it was set to be publicâ€, the company said.
As a result, the company said that email addresses and customer management numbers of as many as 296,019 customers were leaked. However, Toyota, one of the two biggest global automakers by revenue, seems to have caught a stroke of luck, considering the access key in the source code on GitHub was exposed for five years, between December 2017 and September 15, 2022.
“It’s instructive just how much potential damage can come from a simple mistake and that the mistake can take years to identify,†Chris Clements, VP of solutions architecture at Cerberus Sentinel, told Spiceworks. “This is far from the first time an organization has had private information potentially exposed from uploading secret keys or passwords to public code repositories or exposed cloud storage buckets.â€
Toyota said a website development subcontractor “mistakenly uploaded part of the source code to their GitHub account while it was set to be public†in December 2017. This led the unknown hacker straight to the server containing customers’ data associated with the company’s infotainment system T-Connect.
“This is a very common password theft scenario. It’s been estimated that hundreds of thousands of exposed passwords are up on GitHub waiting for anyone who can access the source code to reveal it,†Roger Grimes, defense evangelist at KnowBe4, told Spiceworks. “Example projects have revealed that passwords located in code uploaded to GitHub have been accessed and used against the victim in less than 30 minutes. It’s a big problem.â€
The silver lining to the leak is that customer names, phone numbers, credit cards, etc., remain unaffected. With no additional personal information about the user, threat actors cannot tailor their social engineering efforts while carrying out phishing attacks, making them a bit less severe.
However, email IDs tend to be made up of names, and with the associated customer management numbers, phishing, even if weakened, certainly is a concern.
See More: Intel Alder Lake CPU BIOS Source Code, Tools and Files Leaked on GitHub and 4chan
Customers whose data was leaked should get an apology email from Toyota. The company has also set up a page for customers to check whether their email addresses have been leaked and has set up a call center to answer any questions.
“It [the leak] points to just how difficult a challenge that data proliferation presents. Every copy of data from employees to subcontractors presents an additional avenue for inadvertent disclosure. It doesn’t matter if your main storage location is heavily secured and monitored if a user can just copy that data to a cloud service outside of your control,†Clements added.
Grimes opined that developers need to be more careful in dealing with the complexities of the cloud. After all, the human element has proven to be a weak link in organizations’ cybersecurity. Human-centric activities are attacker favorites because they strengthen their social engineering efforts, or in Toyota’s case, lead them right into the server.
In its 2022 Data Breaches Investigations ReportOpens a new window , Verizon noted that 82% of data breaches are caused due to a human element. “Developers need to know that putting active, production, passwords into source code is not allowed. We need to make developers realize that putting passwords into source code, even for testing purposes, is like running with scissors…nothing good can come up of it,†Grimes added.
Toyota said it hasn’t noticed any unauthorized use of data but warned customers to remain vigilant of spoofing or phishing scams. To mitigate the fallout of the breach, the company removed third-party access to the server, changed the access keys, and changed the GitHub repository to private.
Clements and Grimes suggested a policy-driven approach to minimizing similar errors. Clements said, “Like most things in cybersecurity, there are no easy answers because it’s not an easy problem. Considering that truism, it’s imperative that organizations adopt a cultural approach to cybersecurity that is integral to every business process. It’s still not an easy job, but it’s much more manageable when every person understands the need for secure operations and what their responsibilities are.â€
Grimes added, “The solution is the defense-in-depth combination of policies, technical tools, and education to prevent errant passwords from being left in source code.â€
Jordan Schroeder, managing CISO at Barrier Networks, spelled out some concrete steps regarding the use of access keys to avoid a similar situation.
“Addressing these weaknesses requires implementing secrets management so that access keys are pulled from secured secrets servers and not hard coded into software, by locking down the development environment to prevent public access, and by setting up automated code repository security and access reviews, which includes searching the internet for code snippets that would indicate source code leakage,†Schroeder told Spiceworks.
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
Image source: Shutterstock