US car manufacturer General Motors disclosed that a credential stuffing attack last month compromised some customers' information and allowed hackers to redeem rewards points for gift cards. General Motors operates an online platform to help car owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage their bills & services, as well as redeem GM rewards points, which can go towards GM vehicles, car service, accessories, and purchasing OnStar service plans.
GM reported detection of malicious login attempts between April 11th and April 29th, 2022. The car manufacturer giant states that the credentials were not obtained from GM, rather, threat actors gained access to customer credentials that were previously compromised on other non-GM sites. These login details were then reused on the customer’s GM account. GM says that it will be restoring rewards points for all customers affected by this breach.
As a result of the attack, this type of information was breached from compromised GM accounts:
- First and last name,
- personal email address,
- personal address,
- username and phone number for registered family members tied to the account,
- last known and saved favorite location information,
- currently subscribed OnStar package (if applicable),
- family members' avatars and photos (if uploaded),
- profile picture,
- search and destination information.
According to Bleeping Computer's article, “Other information available to hackers when they breach GM accounts is car mileage history, service history, emergency contacts, Wi-Fi hotspot settings (including passwords), and more. However, the GM accounts do not hold date of birth, Social Security number, driver's license number, credit card information, or bank account information, so that information hasn't been compromised.
For mitigation, individuals should start with resetting their password. General Motors also advises impacted individuals to request credit reports from their banks & place a security freeze (if the case calls for it.) Instructions on how to do either are in the notice. At the moment, unfortunately, GM's website does not support two-factor authentication, which would prevent credential stuffing attacks. Customers should add a PIN to use for all purchases.