Share this article on:
US car manufacturing giant General Motors (GM) was hit with a credential stuffing attack last month that prompted the company to write two data breach notifications to the affected customers.
The US auto manufacturer announced that it had detected malicious login activity between 11-29 April 2022, and the credential stuffing attack has made customer information public.
Owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage bills and redeem rewards points on GM’s online platform.
Correspondence from GM further revealed that the credential stuffing attack had enabled hackers to redeem rewards points for gift cards.
"We are writing to follow-up on our [DATE] email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorisation," GM said in a data breach notification sent to affected customers.
Malicious cyber actors carried out a "credential stuffing attack" using data obtained from a previous breach at an unrelated service with the aim of unlocking, and logging into another service.
"Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself," GM said in one of the data breach notifications.
"We believe that unauthorised parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account."
The hackers obtained personal information about customers that include first and last names, personal email addresses, home addresses, usernames and phone numbers. Car-related data had also been compromised and hackers had access to car mileage history, service history, emergency contacts and Wi-Fi hotspot settings (including passwords).
Hackers even uncovered details about registered family members tied to accounts, last known and saved favourite locations, family members’ avatars and photos (if uploaded), profile pictures, including search and destination information.
According to GM, the hackers had redeemed some customer reward points for gift cards.
GM advised affected customers to reset their passwords, request credit reports and freeze bank accounts if necessary. The company also confirmed all affected customers will have their stolen rewards points restored.
[Related: Data breach report reveals highest jump in ransomware attacks over 5 years]
Nastasha is a Journalist at Momentum Media, she reports extensively across veterans affairs, cyber security and geopolitics in the Indo-Pacific. She is a co-author of a book titled The Stories Women Journalists Tell, published by Penguin Random House. Previously, she was a Content Producer at Verizon Media, a Digital Producer for Yahoo! and Channel 7, a Digital Journalist at Sky News Australia, as well as a Website Manager and Digital Producer at SBS Australia. Nastasha started her career in media as a Video Producer and Digital News Presenter at News Corp Australia.