An access key code left exposed on GitHub may have breached the data of 300,000 Toyota customers.

Toyota has announced that nearly 300,000 customers may have had their data stolen, according to a report in SiliconANGLE. The incident marks the third data breach related to the company so far this year. The potential data breach was uncovered after it was found that an access key to Toyota T-Connect, the official Toyota connectivity app, was left publicly available on GitHub for the last five years.

Some 296,019 customer records were discovered to have been exposed, according to a notice from Toyota published on October 7. All customers who have registered with the service since July 2017 could potentially be affected. Toyota noted that an investigation by security experts did not ascertain whether a third party had accessed the data using the access key, though the company added that it’s possible personally identifiable information was stolen.

Potential data stolen includes email addresses and customer management numbers. Information such as names, phone numbers and credit card details were not exposed. The potential data exposure was first discovered on September 15, with the token live on GitHub from December 2017 through to its discovery. Toyota moved to restrict access the same day the token was discovered and proceeded to change the access key for the data server on September 17.

Toyota customers, beware of phishing and spoofing

While the breach may have only included email addresses and customer numbers, Toyota warned that leaked data could be used in phishing and spoofing emails. Toyota customers are advised to be wary of emails with an unknown sender or subject.

“This is a very common password theft scenario”, Roger Grimes from security awareness training company KnowBe4 told SiliconANGLE. “It’s been estimated that hundreds of thousands of exposed passwords are up on GitHub waiting for anyone who can access the source code to reveal it. Example projects have revealed that passwords located in code uploaded to GitHub have been accessed and used against the victim in less than 30 minutes. It’s a big problem.”