The leak originated from a Git server that was left exposed on the internet with its default username and password combo of admin/admin, Tillie Kottmann, a Swiss-based software engineer, told ZDNet in an interview this week.
Kottmann, who learned of the leak from an anonymous source and analyzed the Nissan data on Monday, said the Git repository contained the source code of:
Nissan NA Mobile apps
some parts of the Nissan ASIST diagnostics tool
the Dealer Business Systems / Dealer Portal
Nissan internal core mobile library
Nissan/Infiniti NCAR/ICAR services
client acquisition and retention tools
sale / market research tools + data
various marketing tools
the vehicle logistics portal
vehicle connected services / Nissan connect things
and various other backends and internal tools
Nissan is investigating the leak
The Git server, a Bitbucket instance, was taken offline yesterday after the data started circulating on Monday in the form of torrent links shared on Telegram channels and hacking forums.
Reached out for comment, a Nissan spokesperson confirmed the incident.
"Nissan conducted an immediate investigation regarding improper access to proprietary company source code. We take this matter seriously and are confident that no personal data from consumers, dealers or employees was accessible with this security incident. The affected system has been secured, and we are confident that there is no information in the exposed source code that would put consumers or their vehicles at risk," the Nissan rep told ZDNet in an email.