Toyota discovers five-year-old email leak, customers at risk of phishing attacks

A silhouette holds a phone with the Toyota logo on it, with green binary code in the background
(Image credit: Getty Images)

Car manufacturing giant Toyota has admitted that a server containing the data of 296,019 customers was openly-accessible for the past five years.

The company discovered on 15 September that the source code for its T-Connect app and website had been posted on a public GitHub repository in December 2017.


The future of work is already here. Now’s the time to secure it.

Robust security to protect and enable your business


Although this in itself was an issue, the issue was compounded with the discovery that the source code included an access key to a data server containing the email addresses of nearly 300,000 customers.

The company has since made the repository private, and changed the access key to the server but the extreme delay in discovering the leak, believed to have been inadvertently made by a third-party developer working on T-Connect, has caused concern.

Customers who had signed up for the company’s T-Connect service since July 2017 are potentially affected by the leak, which exposed email addresses and the customer management number assigned to each customer by Toyota.

Toyota expressed regret for the incident in a blog post and admitted that although there is no evidence that threat actors accessed the information, it cannot be ruled out at this time.

“Having all the email addresses available will give bad actors the chance to start targeted phishing attacks, personalised to the recipient, and if Toyota does not implement continuous email security and anti-phishing training, this could easily result in a far greater security problem than just the leaked emails,” said Markus Strauss, head of product management at Runecast.

Beyond the impact to customers, data breaches and leaks can cause reputational damage to affected firms. The company has warned affected customers to be wary of suspicious emails, and to look out for telltale signs that they are malicious or part of a wider phishing campaign.

“We have no confirmation of a leak of data beyond this information. There is no impact for our customers in Europe,” Toyota told IT Pro in a statement.

“We sincerely apologise for any inconvenience and concern this may have caused to our customers and will continue to work with our contractors to ensure thorough management of the handling of personal information to provide services that our customers can rely on.”

Rory Bathgate
Features and Multimedia Editor

Rory Bathgate is Features and Multimedia Editor at ITPro, overseeing all in-depth content and case studies. He can also be found co-hosting the ITPro Podcast with Jane McCallion, swapping a keyboard for a microphone to discuss the latest learnings with thought leaders from across the tech sector.

In his free time, Rory enjoys photography, video editing, and good science fiction. After graduating from the University of Kent with a BA in English and American Literature, Rory undertook an MA in Eighteenth-Century Studies at King’s College London. He joined ITPro in 2022 as a graduate, following four years in student journalism. You can contact Rory at or on LinkedIn.