GM credential stuffing attack exposed car owners’ personal info

General Motors logo on a building

US car manufacturer GM disclosed that it was the victim of a credential stuffing attack last month that exposed some customers’ information and allowed hackers to redeem rewards points for gift cards.

General Motors operates an online platform to help owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage their bills, services, and redeem rewards points.

Car owners can redeem GM rewards points towards GM vehicles, car service, accessories, and purchasing OnStar service plans.

Targeted in credential stuffing attack

GM disclosed that they detected the malicious login activity between April 11th and April 29th, 2022, and confirmed that the hackers redeemed customer reward points for gift cards in some cases.

“We are writing to follow up on our [DATE] email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorization,” explains a data breach notification sent to affected customers.

GM states they will be restoring rewards points for all customers affected by this breach.

However, these breaches are not a result of a General Motors being hacked but rather are caused by a wave of credential stuffing attacks targeting customers on their platform.

Credential Stuffing attacks are when threat actors use collections of username/password combinations leaked in other sites’ data breaches to gain access to user accounts on a website.

“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself,” explains a different data breach notification from GM

“We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”

GM requires affected users to reset their passwords before logging in to their accounts again.

Personal information exposed

When the hackers successfully breached a GM account, they could access certain information stored on the site. This information includes the following personal details:

  • First and last name,
  • personal email address,
  • personal address,
  • username and phone number for…