GM Credential Stuffing Attack Reveals Automobile Owners’ Details
The Attack Exposed User Information and Allowed Hackers to Cash Rewards Points for Gift Cards.
The General Motors Company is a global American automobile manufacturing company with its headquarters in Detroit, Michigan. The corporation is the biggest automotive manufacturer located in the United States and is also one of the major manufacturers of motor vehicles in the world.
The owners of Chevrolet, Buick, GMC, and Cadillac automobiles have access to an online portal operated by General Motors, which allows them to manage their bills, scheduled servicing, and redeem rewards points.
GM rewards points may be redeemed by vehicle owners for GM automobiles, car services, car accessories, and even the purchase of OnStar service plans.
GM reported that they discovered the fraudulent login activity between April 11 and April 29, 2022, and verified that the hackers were able to redeem customer reward points for gift cards in certain instances. The incident occurred within that time period.
Credential stuffing is a form of cyberattack where hackers are taking over massive databases of usernames and passwords, many of which are stolen in recent data breaches, and use an automated method to “stuff” the account logins into other online services.
The fraudster exploits access to consumer accounts to make fraudulent transactions, perform phishing assaults, and steal information, money, or both in a credential stuffing attack. Credential stuffing is particularly hazardous for those who use the same login and password for multiple accounts, giving a hacker access to all of them with only a single swipe.
We are writing to follow up on our [DATE] email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorization.
GM has announced that they would be reinstating rewards points for any and all customers whose accounts were compromised by the recent data theft.
On the other hand, these security vulnerabilities are not the product of a hack on the part of General Motors; rather, they are the consequence of a wave of credential stuffing attempts that have been directed against consumers using their platform.
According to findings from BleepingComputer, the hackers were able to access certain information that was housed on the website after they successfully accessed a GM account. The following specifics pertaining to an individual are included in this data:
- first and last name,
- personal email address,
- personal address,
- username and phone number for registered family members tied to the account,
- last known and saved favorite location information,
- currently subscribed OnStar package (if applicable),
- family members’ avatars and photos (if uploaded),
- profile picture,
- search and destination information.
When hackers get access to GM accounts, they have access to a variety of information, including the history of the car’s mileage and servicing, emergency contacts, Wi-Fi hotspot settings (including passwords), and more.
GM accounts, on the other hand, do not save information such as a person’s date of birth, Social Security number, driver’s license number, credit card information, or bank account information; thus, those pieces of information have not been compromised.
Unfortunately, the online platform for GM does not enable two-factor authentication, which would prevent assaults that include credential stuffing from being successful.
How to Protect Yourself from Credential Stuffing
We know that nowadays each of us manages multiple online accounts. Enjoying the benefits of digital existence to the full also means creating an account for so many portals. Besides your main email and social media accounts, you will be invited to create an account for the following type of service:
- Various loyalty programs for the offline stores you shop from;
- Online retail shops;
- Online entertainment providers (think Netflix);
- Data storage or compression tools;
- Public institutions prompting you to log in before you can view reports;
- Many online tools require registration before you can use them.