Reading Time: 2 minutes

US car manufacturer, General Motors, GM revealed that it was a victim of a credential stuffing attack last month. As a result, some of the customers’ information was leaked which allowed hackers to redeem various award points for gift cards.

General Motors has an online platform where it helps owners of GMC, Chevrolet, Cadillac, and Buick vehicles manage their services, and bills and also redeem awards based on the points they gain.

The car owners may redeem award points in exchange for availing services or accessories for their cars and purchasing OnStar service plans.

According to GM, they discovered suspicious login activity between April 11th and April 29th, 2022, and concluded that hackers have been redeeming customer reward points using gift cards in a few cases. A data breach notification that was sent to the affected customers read:

“We are writing to follow up on our [DATE] email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorization.”

GM stated that they intend to restore the reward points for all the affected customers. However, the breach is not because GM was hacked, in fact, it was caused by a thread of continuous credential stuffing attacks which targeted the customers on their platform.

In case you don’t know, credential stuffing attacks are carried out by threat actors which utilize a bunch of usernames and password combinations from other data breached websites and use them to attack another website.

The statement by GM explained:

“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

GM has instructed the affected users to “reset their passwords” when they intend on using their GM account again.

As a result of a successful breach of the website, the hackers gained access to various GM accounts, meaning they could get their hands on confidential information stored by GM about their customers. For instance,

  • first and last names
  • personal email addresses
  • home addresses
  • phone numbers of registered family members
  • last known location and favorites
  • family members’ photos (if applicable)
  • display pictures
  • search history

Hackers may also have gone through your GM account where your car mileage history, service history, Wi-Fi hotspot settings, emergency contacts, and more are stored. However, given GM accounts do not store SSN, driver’s license number, credit card, or bank account information, these data should be secure.

Aside from resetting passwords, GM has also advised people to review their credit card information from banks just in case and freeze the cards if such a need arises. How-to instructions regarding both were enclosed within the notice.

If only the GM motors’ website supported two-factor authentication, the data breach would never have taken place. Although, there’s a PIN that customers must enter before making any purchase, the security needs to tightened to prevent future losses of such magnitude.

The number of affected customers within the state is just below 5000 as per the notification sample submitted to the Attorney General’s Office of California.

Apart from the email to affected customers, General Motors hasn’t addressed the rest of its customers yet regarding the attack.