Hacker Gained Access To 14,000 Toyota Email Accounts Last Year

Toyota has closed a security vulnerability exposed by a white hat hacker who gained access to some 14,000 corporate email accounts and other confidential information.

A 29-year-old by the name of Eaton Zveare was able to gain access to the web portal used by Toyota’s employees and suppliers by using a JSON Web Token, or JWT. To do so, the hacker searched for Toyota supply chain employees in the web portal and entered the name of an employee using the format firstname.lastname@toyota.com.

Zveare was then able to search the portal for an account with system administrator privileges and repeated the process to gain access to thousands of email accounts as well as project documents, supplier rankings, comments, and other information, Auto News reports. Toyota was alerted to the vulnerability last November.

“Toyota takes cyber threats very seriously,” Toyota Connected North America’s senior communication manager Corey Proffitt said in a statement. “We regularly test our systems and also run a coordinated disclosure program to allow security researchers to report vulnerabilities. We appreciate the research performed by Eaton. We promptly remediated the reported vulnerability and confirmed that there was no evidence of malicious access to Toyota systems.”

The hacker had hoped that Toyota would reward him for his security research but he was not paid for his efforts.

“Given how much profit they make per year, I think they should definitely allocate some to their security teams that they can use to reward researchers,” Zveare said. “While recognition is always appreciated, if you don’t offer money, it might be more appealing for hackers to sell their exploits on the black market.”