Secrets in code combined with code leaks exposed data for 300,000 Toyota customers

There has been a surge in the number of organizations who have reported theft of source code, exposure of secrets in code as well as exposure of proprietary code into external repositories due to unauthorized access or code leaks. 

This is exactly what happened at Toyota. It was reported in an article dated October 10, 2022 published in Bleeping Computer that states, “Toyota discovered recently that a portion of the T-Connect site source code was mistakenly published on GitHub and contained an access key to the data server that stored customer email addresses and management numbers”.

The article adds, “This made it possible for an unauthorized third party to access the details of 296,019 customers between December 2017 and September 15, 2022, when access to the GitHub repository was restricted”. 

Toyota T-Connect is the automaker’s official connectivity app that allows owners of Toyota cars to link their smartphone with the vehicle’s infotainment system for phone calls, music, navigation, notifications integration, driving data, engine status, fuel consumption, and more.

How do secrets find their way into code?

One of the leading root causes of software supply chain breaches turns out to be secrets in code. Through negligence or mal-intent, secrets that are left in code can be exploited by hackers to mount asynchronous attacks leading to escalation of privileges, exploitation of vulnerabilities and exfiltration of data. 

Secrets exist as artifacts in code that an app uses to connect to an external service, account, or application. Secrets used by developers include API keys; encryption keys; OAuth tokens; certificates; and passwords. 

One of the biggest challenges facing organizations today is manual detection, identification and remediation of secrets in code, which is tedious and time consuming. In many cases application security titles within organizations, particularly those with large numbers of developers are faced with having to resolve many thousand secrets.

It can be challenging to determine all the reasons that secrets remain in code. In many cases development teams are focused on getting business logic and the functional aspects of integration to work. 

Many times it is easier to hardcode the secret string or value into the code while testing and then deal with the secrets removal later. While they have good intentions, sometimes developers forget to do that, or rarely, due to malicious intent, deliberately expose secrets in clear text. One way or another, secrets numbering in the thousands, often find their way into code repositories. 

How does Blubracket eliminate secrets in code?

As a solution that is built with developers in mind, BluBracket is easy to integrate into the daily development workflows. It also has the flexibility to operate across all git repositories, both internal and external. Integration with existing DevOps and CI/CD tools commonly found in the enterprise allow developers to easily include BluBracket into their daily routines. 

The BluBracket code security solution scans source code and identifies hundreds of secret types that are neither recognized by open source solutions nor the add-on security capabilities that code management systems like GitHub, GitLab and BitBucket might provide. 

BluBracket helps eliminate secrets throughout the development workflow (before commit, review on pull request, and alert on commits to monitored repos), and make it easy to triage and mitigate secrets previously committed. BluBracket identifies secrets in git history, and can even identify active secrets so you know which ones are most important.

How do you prevent code leaks?

Developers sometimes unknowingly place company IP at risk when they share code sections or make commits to public git repositories. BluBracket regularly scans public repositories for code fingerprints that may have leaked into the extended universe and identifies code that may have leaked. 

How to get started?

BluBracket helps you understand your overall code health and identifies the areas of highest risk, implement workflows to stop new risks from getting into code and monitor your code health and watch it improve with every commit. Developers and AppSec teams can get started in three simple steps by using their GitHub accounts to sign up for BluBracket. They can easily select the repositories to scan and start identifying risks almost immediately. 

Use this link to get started for free in just minutes. No credit card required https://blubracket.com/contact/get-started/

For additional information on how BluBracket can help secure your code environment, please visit BluBracket.com

Share this post!