General Motors (GM) has revealed it was the target of a credential stuffing attack in April. The attackers successfully logged into customer accounts and redeemed reward points.
In an email to the affected users, General Motors said its investigation shows its systems were not hacked. The login credentials used in the attack were apparently obtained from a previous breach that didn’t involve the company.
According to the American car manufacturer, the hackers could access customers’ personal information on its site. While this information is private, it thankfully did not include more sensitive details like users’ date of birth, social security number, license number, or financial data like credit card and bank account details.
Attackers Logged Into Customer Accounts and Redeemed Reward Points
General Motors said it noticed suspicious account activity between April 11, 2022, and April 29, 2022. Specifically, it observed logins and redemption of reward points for gift cards, which “may have been performed without the customers’ authorization.”
Consequently, the company disabled this feature on its website and notified the affected customers, requesting that they reset their passwords to access their GM accounts. General Motors said it has also notified law enforcement about the incident and continues to monitor the situation.
The company has promised to restore any points redeemed without authorization to the affected accounts.
What Is Credential Stuffing?
Credential stuffing is a type of cyberattack where hackers take advantage of leaked account details from a data breach to access accounts associated with the same users on other platforms. Attackers usually get users’ login details from the dark web and use automated software to orchestrate their credential stuffing attacks.
It is unclear where the hackers accessed the user details used to carry out the attack on General Motors’ website.
Credential stuffing is becoming increasingly common. Cybercriminals are taking advantage of the ill-advised, yet widespread, practice of people re-using the same login credentials across different online platforms.
Earlier this year, the New York State Attorney General said over a million people have fallen victim to credential stuffing attacks.
In a major attack in 2020, attackers used stolen credentials to compromise 350,000 Spotify accounts. Meanwhile, Zola, a startup that provides wedding planning services, confirmed over the weekend that several customer accounts have been compromised after a credential stuffing attack. The company has reached out to the affected users and is providing additional support.
In January, the Office of the Attorney General issued a protection guide for businesses to help them bolster their defenses against credential stuffing attacks. The FBI has also issued an advisory to the American financial sector to warn about the rise of credential stuffing attacks.
GM Attackers Gained Access to Customer Information
The user data that the attackers could access in the credential stuffing attack on General Motor’s website includes:
- First and last names,
- email addresses,
- physical addresses,
- usernames and phone numbers of family members linked to customer accounts,
- last known location information,
- saved favorite location information,
- family members’ avatars and any uploaded photos,
- profile pictures,
- sear and destination information.
As stated above, credential stuffing attacks take advantage of our tendency to re-use the same password on different platforms. As we create more online accounts, the chances of reusing the same password increase. It can be cumbersome to come up with new passwords for every account and remember them.
If you’re looking for a solution to this problem, we recommend checking out our article on the best password managers of 2022.