Share this article on:
Japanese motoring titan Toyota has accidentally been leaking sensitive data for one and a half years, leaving its customers vulnerable to a barrage of phishing attacks from threat actors.
An investigation conducted by CyberNews revealed that credentials for the Salesforce Marketing Cloud for Toyota Italy were exposed. The availability of these credentials to threat actors allows them to access sensitive customer data such as email addresses and phone numbers, which criminals can then use to launch phishing scams and attacks.
In addition, access to Toyota’s Salesforce Marketing Cloud means threat actors are able to launch marketing campaigns, edit marketing content tied to the cloud, send push notifications to customers, send fake text messages, and create automation scripts.
Toyota is arguably the largest auto manufacturer in the world, with a revenue of 31.38 trillion Japanese yen, according to Statista ($353.75 billion) in the 2021 to 2022 financial year, selling 10.48 million vehicles in 2022 and with a staff count of over 370,000 employees, with 25,000 in Europe alone.
Having access to the credentials of such a large customer base, particularly for one and a half years, could have dire consequences.
Toyota was informed of the leak by CyberNews and was quick to act. It identified that the vulnerability was the result of its data-security policies not being followed. It has since put in place additional measures to reinforce its systems.
“An additional set of countermeasures have been put in place to restore and strengthen our cyber security systems and protocols. We have reported this risk of exposure of privacy data to the relevant Italian authorities and are fully cooperating with the ongoing investigation,” said the Japanese multinational.
“Toyota takes this case, and cyber security in general, very seriously. We are taking this opportunity to learn from the findings to further upgrade the robustness of our cyber security systems and protocols to prevent a recurrence of similar incidents.”
At this stage, Toyota has not revealed whether any data has been accessed by threat actors, but CyberNews recommends customers remain cautious around push notifications, messages, and emails from Toyota.
Users should secure their accounts with two-factor authentication (2FA) and change any details that are believed to have been compromised, such as passwords and potentially phone numbers, to avoid the consequences of SIM-swapping attacks.
Toyota has suffered from data leaks in the past, just last year confirming that the data of just under 300,000 customers was leaked via its customer app T-Connect, while in January, Toyota Motor’s Indian business revealed a data breach that saw customer data potentially compromised.