A white hat hacker breached Toyota’s global supplier management web portal, gaining read-and-write access to 14,000 corporate email accounts, associated confidential documents, projects, supplier rankings, comments, and other information.

Eaton Zveare, a 29-year-old hacker-hobbyist in Sarasota, Fla., notified the automaker of the breach in November and it was quickly closed.

“Toyota takes cyber threats very seriously. We regularly test our systems and also run a coordinated disclosure program to allow security researchers to report vulnerabilities,” Corey Proffitt, Toyota Connected North America’s senior communication manager, said in an email to Automotive News.

“We appreciate the research performed by Eaton. We promptly remediated the reported vulnerability and confirmed that there was no evidence of malicious access to Toyota systems.”

Toyota Motor Corp.‘s employees and suppliers access the company’s Global Supplier Preparation Information Management System through an application to coordinate projects, distribute parts, surveys, purchases, and other tasks related to the automaker’s global supply chain.

Zveare found he could penetrate the web portal by generating a JSON Web Token, or JWT, with a corporate Toyota email address, even without a password.

A JWT allows an individual to use a valid authenticated session on a website. Typically, a JWT is issued after a user has logged into a website with an email and password to access secured parts of a website with a verified identity.

To gain a JWT for the portal, Zveare searched the internet for Toyota supply chain employees. Using the format: [email protected], Zveare entered the name of a Toyota employee and found a successful match. After searching the portal, he found an account with system administrator privileges and used that same process to gain read-and-write access to 14,000 corporate Toyota email accounts.

In an email to Automotive News, Zveare, a part-time beekeeper and director of technology at a digital retailer, said Toyota’s retail customers should not be concerned because the hack did not expose any of their personal information.

“On the other hand, Toyota partners/suppliers should be deeply concerned that their corporate email addresses and other information about their Toyota relationship could have been easily dumped and sold on the black market for phishing campaigns or other malicious purposes,” Zveare said.

Zveare is part of a cadre of white hat hackers that go searching for vulnerabilities in hopes of a reward.

Although Toyota appreciated his security research, Zveare didn’t collect the reward he anticipated.

“Given how much profit they make per year, I think they should definitely allocate some to their security teams that they can use to reward researchers,” Zveare said. “While recognition is always appreciated, if you don’t offer money, it might be more appealing for hackers to sell their exploits on the black market.”

Toyota has a formal program for security researchers looking into potential vulnerabilities. Proffitt said that researchers interested in partnering with Toyota are encouraged to visit www.hackerone.com/toyota.

This is the second major security issue Toyota has faced in recent months. In September 2022, white hat auto hacker Sam Curry and other software security researchers were able to gain access to the personal information of Toyota customers via a telematics service provided by SiriusXM.