Toyota has confirmed a security breach that led to hackers accessing its systems, with about 250GB of data allegedly stolen and later shared on the dark web, according to reports from BleepingComputer.
Investigators tracking the incident attribute the breach to the ZeroSevenGroup hacking collective. They claim to have compromised a Toyota facility in the United States, exfiltrating roughly 240GB of files that include information on employees and customers, contracts, and financial details. The attackers also state that credentials and other network infrastructure data were captured during the intrusion.
In a message accompanying the release, the group stated,
“We breached the US branch of one of the world’s largest automakers (Toyota). We are happy to share the files with you for free. Archive size: 240 GB.”
While Toyota has not publicized the leak date, indirect indicators suggest the breach occurred in 2022, and the published archive contains material dated December 25, 2022. Additional context points to a reported disclosure in October 2022, when Toyota acknowledged a potential exposure of personal information for roughly 296,000 T-Connect service customers.
Earlier reports indicated that the attackers previously carried out large-scale intrusions on Russian e commerce platforms before September of that year, signaling a pattern of aggressive cyber activity tied to this group.
Security researchers emphasize that this incident highlights the ongoing risk to major manufacturers whose IT ecosystems span multiple regions. The event underscores the importance of robust access controls, continuous monitoring for unusual data transfers, and prompt incident response planning to limit data exposure and mitigate potential harm to customers and business partners. Attribution in cases like this often combines technical indicators, timing of disclosures, and threat group patterns to establish a likely source and sequence of events. The situation remains a reminder for organizations to regularly review employee and vendor access, strengthen credential hygiene, and ensure that backups and disaster recovery procedures can withstand targeted breaches. Citations: BleepingComputer reports and subsequent industry analysis attributed to cybersecurity researchers and threat intelligence observers.