If you are alive and pay taxes, you have probably had personal information stolen in a data breach. It’s simply an unavoidable facet of living in the modern age, even if you take every precaution. Stellantis customers are among the latest victims of the phenomenon, as the automaker announced on Sunday (great day to share concerning news, guys) that a nefarious actor had gained “unauthorized access to a third-party service provider’s platform that supports [its] North American customer service operations.” What makes this particular instance so worrying, though, is how that data is being used to supercharge phishing attacks.
According to Stellantis, the data taken was “limited to contact information,” and did not include financial or sensitive personal info. IT security site BleepingComputer reported that the ShinyHunters extortion group claimed responsibility for the attack, one of many recent efforts targeting businesses that use Salesforce. The thieves said they made off with 18 million records, including names and contact details, from Stellantis’ Salesforce account.
Stolen phone numbers and email addresses may not sound all that horrible, but they can still create potential for especially damaging scams. Everyone’s familiar with phishing attacks aiming to convince targets to give up money or payment info, but, as our friends at The Autopian point out, criminals today use the ubiquity of leaked data already floating around the web to convince you that they are who they say they are. It could take the form of a phone call from a human or human-sounding voice, aiming to gain your trust by using your real name, email, or home address, for example, before going in for the kill.
Somebody actually tried a scam like this on me last year, when I received an email with a subject line that was a password I haven’t used in probably 10 years. That was certainly alarming enough to get my attention, and when I read the email, it demanded ransom, or else the scammer would reveal the sordid, filthy websites I apparently like to visit. You’ll have to try harder than that to get my web history, jerks!
All this is to say that phishing is getting more sophisticated. And it’s for that reason that Stellantis says it encourages “customers to remain vigilant against potential phishing attempts and avoid clicking on suspicious links or sharing personal information in response to unexpected emails, texts, or calls.” If you want to verify that Stellantis is actually asking you for money—something it probably wouldn’t just do out of the blue, without prior communication in text or mail—the company says you should contact it directly via official channels. And, the way things are going, that’s generally good practice to use for any caller.