What We Can Learn From Toyota’s API Security Breach

In January 2022, Gartner analysts predicted that API security would become a significant cybersecurity threat. And we’ve seen time and time again that that prediction was correct.

One of the most notable API security incidents of the year happened in October 2022, when the Toyota Motor Corporation warned customers that their personal information may have been exposed due to an API key that was publicly available on GitHub for almost five years. Toyota shared that from this incident, 296,019 customer records were exposed.

Unfortunately, Toyota isn’t alone in falling victim to API attacks. In Q2 of 2022, it was reported that API vulnerabilities grew by 268%. As if that weren’t enough, 95% of organizations have experienced an API security incident in the past year. 

Join us as we explore how this API breach happened, the potential consequences, and how companies can avoid finding themselves in similar situations with strong API security protocols.

How Toyota’s API Was Breached 

APIs are commonly used to send, receive and manage data across a large ecosystem of apps and services–acting as a prime communication contract into a service or app. To make secure API calls, developers leverage API keys and secrets, API tokens, and TLS certificates that act as an authenticator to ensure no bad actors are trying to access the API. 

Security experts recommend that API keys are continuously rotated for a strong security posture. But as the use of APIs grows, it becomes harder for companies to monitor which APIs they use, their security keys, and how many secrets exist. As a result, API secrets last too long and are shared across environments, apps, and pipelines. 

This was the case with Toyota. In December 2017, a subcontractor uploaded some source code from Toyota T-Connect, the official Toyota connectivity app, to a publicly accessible GitHub repository. This source code included an API key that was not rotated in the five years the code was publicly available on GitHub. As a result, anyone who found these credentials could access Toyota servers and collect customer data. 

And as we mentioned earlier, it’s important to note that this is not an isolated incident. Take, for example, the Optus data breach. In September of 2022, personal information belonging to current and former customers of Optus was accessed through an unauthenticated API. From this breach, 9.8 million records were exposed.

Money, Reputation, Loyalty: The Risks of Poor API Security

Since APIs are often used in communicating sensitive information, they are an attractive target for attackers. 

In Toyota’s specific situation, having an API key on a public forum for five years exposed customer email addresses and management numbers. As a result, threat actors could leverage this data to:

  • Access customer accounts
  • Locate customer cars
  • Unlock cars and steal parts
  • Execute phishing attempts

But for many companies, the most glaring consequence of a breach like this is major damage to brand reputation and customer trust. Consider this stat: a survey conducted by PwC found that 87% of consumers say they will switch to a different brand if a data breach occurs. 

How to Avoid a Breach of Your Own

The best way to avoid a situation like this is to pay close attention to your API authentication, access, and security hygiene for API secrets – for human-to-machine interactions and especially machine-to-machine communications.

Despite best practices advising otherwise, API secrets are often shared, rarely rotated, and their static nature makes them prime targets for adversaries. And with the prediction that there will be 14.7 billion machine-to-machine connections by 2023, most businesses will need help maintaining robust API security.

By leveraging an automation tool that adds a security layer to existing secrets management and PKI, you can automatically abstract away vulnerabilities caused by human error. An identity-first platform, like Corsha, enables you to assign dynamic identities to your machines and authenticate all your network connection requests, providing complete visibility into your APIs and the machines accessing them. Our platform provides a layer on top of your current security program to heavily reduce the API attack surface.

To learn more about protecting your enterprise against API attacks, try our free API Security Scorecard! In this five-minute quiz, we will score the posture of your API security and provide some actionable steps you can take to improve it.


Corsha Integrations


Corsha Releases Kong Gateway Plugin bringing MFA to Non-Human Identities


zero trust


Corsha Cloud Available at IL5 on Google Cloud


API Secrets, MFA


Sisense Breach Shows Danger of Third Party “Forever” Tokens