Nissan investigated source code exposure, says it plugged leak
Nissan examined a source code leak for its North American division’s mobile apps, marketing tools and more, then secured the server that exposed the data, the company said.
“Nissan conducted an immediate investigation regarding improper access to proprietary company source code,” a spokesperson said. “We take this matter seriously and are confident that no personal data from consumers, dealers or employees was accessible with this security incident. The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk.”
Tillie Kottmann, a software engineer, publicized leaked information earlier this week on Twitter and Telegram. They told CyberScoop the information came via a “severely mismanaged” server that had the username and password of “admin:admin.” And even after Nissan released a statement that it had secured the system, Kottmann said they could still access “other” Nissan resources.
“I was informed about the server by an anonymous source but acquired it myself and can thus mostly verify it,” Kottmann said via a Twitter direct message exchange. Kottmann said they also heard some ex-Nissan employees recognized projects there.
Poorly configured servers are a common source of online data leaks, in recent months afflicting Razer, medical scans, hotel guests, dating websites and more.
On Monday, Kottmann said the server exposed a broad range of data.
Nissan Canada previously suffered a data breach in 2017.
Kottmann, a Swiss IT consultant and developer, has previously publicized security shortcomings at Deloitte, Mercedes-Benz, Intel and elsewhere.
The technology news site ZDNet first reported on the incident Wednesday.
Updated, 1/8/21: To reflect new statement from Nissan that it had concluded its investigation and secured the system in question.
Updated, 1/8/21: To reflect Kottmann saying they could still access Nissan resources.