FoxHat logoFoxHat
All articles
Incident analysis

Five years, one GitHub key: the Toyota T-Connect leak in detail

A Toyota subcontractor accidentally published T-Connect source code containing a database access key to a public GitHub repo. It stayed exposed for almost five years and put 296,019 customers at risk.

FoxHat ResearchMarch 18, 2024 5 min read

In October 2022 Toyota Motor Corporation disclosed that part of the source code for T-Connect — its connected-vehicle app — had been sitting in a public GitHub repository since December 2017. A development subcontractor had pushed the code without permission, and the repository included an access key to the data server that stored customer email addresses and management numbers.

296,019customers whose email and management number were exposedSource: Toyota disclosure, October 7, 2022 (BleepingComputer)
~5 yearsduration the credential remained in a public GitHub repoSource: Toyota disclosure, October 7, 2022
Dec 2017 → Sep 2022window between leak and discoverySource: Toyota disclosure, October 7, 2022

What actually happened

Toyota's own statement walks through the chain of events. A development partner uploaded part of the T-Connect site's source code to a public repository in December 2017. The repository contained an access key to the database server hosting customer information. The repository was made private on 15 September 2022 after a third party reported it, but anyone who cloned it during that five-year window still had the key.

Why the blast radius was bounded — barely

Toyota reported no evidence that customer data was actually accessed, but they could not rule it out, which is why they had to notify nearly 300,000 customers. The data exposed was relatively narrow — email addresses and an internal management number, not payment details or full PII — but for a connected-vehicle service the reputational damage is significant. The credential itself was rotated after discovery, but that does not retroactively protect data that may have been queried during the exposure window.

The three failures in this incident

  • A contractor pushed production-shaped code to their personal account without review.
  • The repository contained a database credential checked into source, instead of being injected from a secret manager at runtime.
  • Nobody at Toyota was watching public GitHub for code or credentials tied to the t-connect domain — discovery came from an outside report.

The pattern repeats

T-Connect is not unique. Mercedes-Benz (a leaked GitHub token in early 2024 exposed internal source code and cloud credentials), Samsung (Galaxy source code published to a private group in 2022 was scraped within hours), and dozens of smaller incidents all follow the same shape: a contractor or junior engineer pushes code into the wrong repo, and an attacker finds it before the owner does.

The defensive lesson is the same every time: organizations need continuous, name-aware scanning of the open web for code, domains, and credentials that look like theirs — independent of whether the leak happens on an asset they technically control.

We sincerely apologise for the great inconvenience and concern caused.
Toyota Motor Corporation, October 2022

See your exposure surface in 60 seconds

FoxHat continuously hunts your exposed repositories, assets, credentials, and secrets across the open and dark web.

Start free scan

Keep reading

Research

12.8 million secrets leaked on GitHub in 2023 — what the data tells us

Research

Verizon DBIR 2024: stolen credentials drove 1 in 3 breaches