Cremit
/incidentsfield log
CatchesCampaignsExfilPatternsLLMIncidentsMethodology
↺rss↗cremit.io

incidents.cremit.io

A reference feed of real-world Non-Human Identity (NHI) credential leak incidents. Maintained by Cremit.

Browse

  • All incidents
  • npm supply chain
  • CI/CD compromise
  • Methodology

Subscribe

  • RSS feed
  • @cremit_io
  • GitHub
// status
monitor active
// build
2026-05-20
// origin
cremit · seoul, kr
// license
CC BY 4.0

© 2026 Cremit. content reuse encouraged with attribution.

home/incidents/toyota-source-code-github-leak-2022
HIGH6.8·confirmed·disclosed Oct 7, 2022·4 min read

Toyota T-Connect Source Code GitHub Leak (2022)

A subcontractor uploaded T-Connect source code to a public GitHub repository for nearly five years, exposing a database access key for ~296,000 customer records.

Summary

In October 2022, Toyota disclosed that a subcontractor had uploaded source code for the T-Connect connected-vehicle service to a public GitHub repository in December 2017 and left it public until September 2022 — almost five years. The code contained a database access key. Toyota confirmed that the email addresses and customer management numbers of approximately 296,019 T-Connect users were potentially accessible during the exposure window.

Timeline

  • 2017-12-01 — A development subcontractor uploads T-Connect source code to a public GitHub repository, including an embedded database access key.
  • 2017-12 → 2022-09 — Repository remains public; key remains valid.
  • 2022-09-15 — Toyota becomes aware of the public repository.
  • 2022-09-17 — The exposed database access key is rotated.
  • 2022-10-07 — Toyota publicly discloses the incident.

Attack Vector

The attack vector is the simplest one in the index: a developer pushed code with credentials to a public GitHub repository, and nobody noticed for nearly five years.

The specific path:

  1. Subcontractor cloned an internal repository to a personal workstation.
  2. Subcontractor created a public GitHub repository and pushed the code, apparently for personal reference.
  3. The code contained a hardcoded database access key targeting Toyota's customer data store.
  4. Detection happened externally (third-party notification), not via Toyota's own monitoring.
  5. Rotation took two days from discovery to remediation.

Tokens & Credentials Exposed

  • One database access key for the T-Connect customer data store.
  • The key granted read access to the customer data store containing ~296,019 records.
  • Toyota's investigation could not conclusively determine whether the key was used by unauthorized parties during the exposure window.

This is a small token surface relative to other incidents in the index — but the blast radius (full read access to a 296k-record customer table) was enormous because the credential reached production data directly.

Confirmed Impact

  • Potentially affected customers: 296,019 T-Connect users registered before April 2017 and using the service.
  • Confirmed exposure: customer email addresses and customer management numbers.
  • Not exposed: full names, phone numbers, payment information.
  • Confirmed unauthorized access: Toyota stated it could not conclusively confirm or deny third-party access during the exposure window.

Mitigation & Lessons

The lesson here is not a novel one. It is the lesson Cremit has been telling customers since the company started:

  • Public repository leaks are a perpetual surface. A credential pushed to a public repo today, undiscovered, is functionally a credential the attacker has tomorrow.
  • The clock starts on push, not on discovery. Toyota's exposure window is not bounded by the day the leak was reported — it is bounded by the day the leak occurred. Five years is enough time for any motivated party to find a public credential.
  • Internal monitoring is the only durable control. External notification (a researcher, a security vendor, a journalist) is a fortunate outcome, not a strategy.
  • Subcontractor and third-party developer access is a credential propagation surface. Whatever your internal hygiene, your contractor's personal GitHub account is part of your exposure surface.

For affected organizations:

  • Run continuous secret scanning across both internal and external GitHub footprint, including ex-employee and contractor accounts.
  • Treat any historical credential discovered in a public repository as compromised regardless of how recently it was pushed.
  • Audit organization permissions on personal GitHub accounts of current and former contributors quarterly.

Cremit Analysis

This incident is drifted-key and unattributed-key at the same time. The leaked credential was originally minted for legitimate development use, ended up scoped to read production data (drift), and was held by a subcontractor whose employment relationship with Toyota changed multiple times during the five-year exposure window (attribution decay).

The NHI Severity Index score of 6.8 reflects single-org blast radius (Toyota only), production reachability (live customer data store), and read-only privilege level. The score would be higher if the exposed key had write access.

The generalizable point: public repository leaks are the longest-tail incident shape we track. They do not have a "moment of compromise" — they have a window that begins on commit and ends, possibly, on rotation. Detection latency is typically measured in years. This is exactly the surface Argus was built to monitor: continuous indexing of the public-facing developer ecosystem (GitHub, package registries, paste sites) for credentials matching the customers it protects.


References

  1. [1]
    Toyota T-Connect customer data leak announcement (Japanese)
    primary·2022-10-07·global.toyota
  2. [2]
    Toyota: source code leak exposed nearly 300,000 customer details
    reporting·2022-10-10·bleepingcomputer.com
  3. [3]
    Source code published on GitHub leaks Toyota T-Connect customer data
    reporting·2022-10-11·theregister.com

Related incidents

2021-04-15·CRITICAL
Codecov Bash Uploader Compromise (2021)
2023-01-04·CRITICAL
CircleCI Session Token Breach (2023)
last reviewed / 2026-05-01reviewer / benlicense / CC BY 4.0
// incident metadata
severity
HIGH6.8
status
confirmed
disclosed
2022-10-07
occurred
2017-12-01 → 2022-09-15
vector
Public repo leak
platforms
GitHub
tokens
Database CredentialAPI Key (generic)
nhi severity index
score6.8 / 10blast radiussingle-orgreachabilityproductionprivilegeread-only
nhi kill chain
Drifted Key↗Unattributed Key↗
metrics
orgs affected1tokens est.1exposure1750 days