Toyota has warned the personal information of almost 300,000 customers using its T-Connect car app may have been exposed after access to its database was accidentally leaked online.

BleepingComputer reports the Japanese automotive giant published a notice informing customers that a part of the T-Connect site’s source code posted to Github also contained an access key to the data server storing customer email addresses and management numbers.

That meant unauthorised parties would have been able to access the details of 296,019 customers from December 2017 to 15 September 2022, after which Toyota revoked the key.

Toyota changed the database’s keys on 17 September 2022, cutting off access to the database from unauthorised parties.

Toyota acknowledged its responsibility for mishandling customer data, despite a development subcontractor mistakenly including the access key in the Github repository.

It assured customers that no names, credit card data, or phone numbers were stored in the compromised database.

Toyota said although it could not confirm whether a third party had accessed the database while the access key was compromised, it could not completely rule out the possibility.

For this reason, it cautioned customers to watch out for malicious actors targeting their email addresses with spam or phishing scams.

Toyota provided a link to a portal that lets users submit their name, surname, and email address to confirm if their information was included in the exposed database.

The company explained that the data of Toyota owners with the MyToyota or My Toyota+ apps and Lexus owners with the G-Link app were handled differently, and did not form part of the exposed database.

The T-Connect platform is primarily used in Japan and some of Toyota’s Asian markets.

MyToyota is the app South African Toyota owners use for Toyota Connect, a service separate from T-Connect, while Lexus owners get the My Lexus app.