GM Customer Data Exposed in Gift Card-Grabbing Cyberattack

Hackers used breached credentials to redeem gift cards from customers’ reward points.

byRob StumpfMay 25, 2022 4:42 PM
GM credential stuffing breach
via General Motors
Share

General Motors' customers were targeted in a cyberattack levied against the automaker in April, according to a letter filed May 16 with the California Attorney General.

The breach was uncovered after GM decided to investigate several suspicious login attempts to customer accounts from April 11-29. The automaker confirmed to The Drive that it found approximately 140 breached accounts, many of which had a balance of reward points. After gaining access to the account, which was not designed to be secured by multifactor authentication, the attackers then redeemed the points for gift cards. GM then suspended the redemption feature until it could determine the full extent of the issue.

GM says that it was unable to produce evidence during the investigation that shows that the attack used credentials or a login vulnerability from its systems directly, and determined that the affected customers had already been the victim of a data breach elsewhere on the internet.

This type of attack is called "credential stuffing." As the name implies, the bad actor behind the attack uses credentials that have been previously dumped as the result of another breach (often downloaded or purchased from the dark web) and attempted to log in to GM's systems using these credentials. When a login is successful, the attacker appears to have checked if the account had a reward balance and, if so, redeemed it for gift cards without the user's knowledge.

Because the bad actor also had access to the user's account, GM says that they may have had access to other personal information, such as:

  • Full Name
  • Phone number
  • Personal address
  • Email address
  • Last known location
  • Saved locations information
  • Search and destination information
  • Username, phone number, as well as avatars and photos for any family members tied to the account

Other vehicle-centric information is also available inside of the account, such as emergency contact information, Wi-Fi hotspot settings (including passwords), vehicle mileage, and service history. GM says that more sensitive information like date of birth, Social Security number, driver's license number, and credit card information have not been exposed. As a precaution, the automaker notified law enforcement and affected customers of the issue. Users have been asked to reset their passwords.

"At General Motors, the security of our customer’s personal information is of the utmost importance to us. We utilize security measures to safeguard against unauthorized access and we’ve detected some suspicious attempts to log into certain GM branded online accounts," a GM spokesperson said in a statement to The Drive. "We are taking swift action and continuing to protect our customers and their personal information. Our investigation is ongoing."

Credential stuffing accounts are difficult to combat from a technical perspective, however, users can protect themselves quite easily. First, never reuse passwords, and second, enable multifactor authentication wherever possible. You can check to see if your email address has been affected by known data breaches by using a trusted tool such as HaveIBeenPwned.

Got a tip or question for the author? Contact them directly: rob@thedrive.com