Nissan Source Code Compromised Online Due to Exposed Git Server


Nissan's source code got compromised online after the company left an uncovered Git server secured with default access credentials. This leak was learned by a Swiss-based software engineer Tillie Kottmann who shared with ZDNet in an interview that she discovered the leak from an unknown source and analyzed the company’s data. 

The source code repository contained ‘critical information regarding the company’s source code of Nissan mobile apps, components of the Nissan ASIST diagnostics tool, dealer business systems and dealer portal, company’s internal core mobile library, vehicle logistics portal, market research tools, and data, client acquisition and retention tools, vehicle connected services and multiple back ends and internal tools. 

After the data was exposed and began to be shared on telegram via torrent links and hacking platforms, the company took the precautionary step to shut down the Git server yesterday. Mercedes Benz was also the victim of the data breach in May 2020 when the Swiss cybersecurity experts discovered the company misconfigured GitLab server that exposed the source code of multiple Mercedes Benz apps and tools. 

Nissan's spokesperson admitted the incident and further stated, “Nissan conducted an immediate investigation regarding improper access to proprietary company source code. We take this matter seriously and are confident that no personal data from consumers, dealers, or employees were accessible with this security incident. The affected system has been secured, and we are confident that no information in the exposed source code would put consumers or their vehicles at risk”.

The attackers were able to lay their hands on the company’s public repository on GitLab which contains folders with sensitive information from leading companies such as Toyota, SunTech, Pepsi, Motorola, Mediatek, Sierra Nevada Corporation, and the U.S. Air Force Research Laboratory but fortunately all folders do not contain sensitive information that could guide attackers to the secured assets.