Last month, GM said it had been the target of a credential stuffing attack that exposed certain customers’ personal information and allowed hackers to exchange rewards points for gift cards. Owners of Chevrolet, Buick, GMC, and Cadillac automobiles may use an online portal to manage their payments, services, and reward points redemption.
GM rewards points may be used to purchase GM automobiles, car servicing, accessories, and OnStar service plans. GM observed unauthorized login activity between April 11th and April 29th, 2022, and confirmed that the hackers cashed customer reward points for gift cards in some situations.
“We are writing to follow up on our [DATE] email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorization,” clarifies a data breach notification sent to the affected customers.
According to GM, all customers affected by the hack will have their reward points restored. However, these breaches are not the outcome of a GM hack, but a wave of credential stuffing attempts targeting consumers on their platform. Credential Threat actors employ collections of username/password combinations revealed in other sites’ data breaches to get access to user accounts on a site in stuffing attacks.
“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself,” clarifies a different data breach notification from General Motors. “We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.” Before logging back into their accounts, GM requires impacted customers to reset their passwords.
When hackers gained access to a GM account, they could view some information saved on the site. This data comprises the following personal information:
- First and last name,
- profile picture,
- personal email address,
- personal address,
- last known and saved favorite location information,
- username and phone number for registered family members tied to the account,
- family members’ avatars and photos (if uploaded),
- currently subscribed OnStar package (if applicable),
- search and destination information.
When hackers break into GM accounts, they may also have access to automobile mileage data, service history, emergency contacts, Wi-Fi hotspot settings (including passwords), and more. On the other hand, the GM accounts do not save the date of birth, social security numbers, driver’s license numbers, credit card numbers, or bank account numbers. Thus, no personal information has been exposed.
Apart from changing passwords, GM recommends concerned consumers to seek credit reports from their institutions and, if necessary, to put a security freeze. The warning includes instructions on how to do either. Unfortunately, GM’s website does not enable two-factor authentication, which would prevent credential stuffing assaults from succeeding. However, it is feasible to require clients to enter a PIN for all purchases.
In terms of the number of consumers affected, GM has only filed a notification sample to the California Attorney General’s Office, so we only know the number of customers affected in that state, which is a little under 5,000. General Motors has yet to respond to a request for further information on the subject.