The popular vehicle company General Motors has recently admitted to suffering a cyber attack. Reportedly, General Motors faced credential stuffing attacks that exposed the personal data of its customers. The firm asked customers to reset their passwords.
General Motors Credential Stuffing Attack
According to the details shared in a breach notification letter, General Motors suffered a credential stuffing attack.
Sharing the details in two different versions of the notification, the firm elaborated that the incident caught their attention when they noticed unauthorized reward redemption attempts. The firm has reassured the customers to restore any points redeemed this way.
Regarding the incident, GM explained that the breach happened between April 11, 2022, and April 29, 2022.
Between April 11, 2022 and April 29, 2022, we identified some suspicious log ins to certain GM online customer accounts and identified recent redemption of customer reward points for gift cards that may have been performed without the customers’ authorizations.
Consequently, they suspended this feature and started investigations. They found that the unauthorized attackers gained access to users’ accounts via credential stuffing. It means that the breach didn’t happen due to any flaw within the GM network. Instead, the attackers exploited already breached login credentials available online to access customer accounts.
Since this activity allowed unrestricted access to accounts, GM fears that the incident potentially exposed customers’ personal data.
Regarding the breached details, the notification reads,
Through this unauthorized activity, the unauthorized parties could have gained access to limited personal information of your GM online or mobile application accounts, such as first and last name, personal email address, personal address, username and phone number for registered family members tied to your account, last known and saved favorite location information, your currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile picture, search and destination information, reward card activity, and fraudulently redeemed reward points.
Nonetheless, information like financial data, driver’s license numbers or Social Security Numbers remained unaffected since GM never stores them.
Through the letter, it seems GM had already informed the affected individuals about the incident via separate emails. Also, they have reported the matter to law enforcement for further action.
As for the customers, they urge them to reset their login credentials to secure their accounts and avoid reusing passwords.
Let us know your thoughts in the comments.