GM Drivers Struck With Credential Stuffing Cyberattack Exposing Personal Info

gm drivers credential stuffing cyber attack exposing personal info news
Research from earlier this year showed that hackers can remotely unlock and start Honda and Acura vehicles by exploiting a vulnerability in the remote keyless system. However, cybercriminals targeting the automotive industry don’t have to steal your car when they can steal something potentially more valuable: your data.

General Motors (GM), the automotive company behind the Chevrolet, Buick, GMC, and Cadillac brands, is alerting its customers to a series of cyberattacks targeting the company’s online platform. The notice disclosing the attacks warns of a data breach, but GM says that there was no breach of its internal systems. As far as the automotive manufacturer can tell, threat actors carried out a credential stuffing attack on its user account platform.

Credential stuffing attacks take compromised user login credentials from various online services and enter them into a different service. The success of this kind of attack depends on users reusing the same username and password across multiple online accounts, which is why unique passwords are an important security measure. Unfortunately, some GM customers reused account credentials, and the attackers were able to use compromised user credentials to gain access to a subset of GM user accounts.

gm drivers credential stuffing cyber attack exposing personal info cadillac news

GM detected suspicious login activity between April 11 and April 29 of this year, pointing to a series of credential stuffing attacks that went on for over two weeks. The attackers used access to customer accounts to redeem reward points for gift cards. GM’s notice also states that the attackers could have accessed the following personal information from compromised customer accounts:
  • First and last name
  • Personal email address
  • Personal address
  • Username and phone number for registered family members tied the account
  • Last known and saved favorite location information
  • Currently subscribed OnStar package (if applicable)
  • Family member’s avatars and photos (if uploaded)
  • Profile picture
  • Search and destination information
  • Reward card activity
GM has responded to these attacks by suspending GM accounts, requiring their rightful owners to perform password resets to regain account access. The company also says that it reported the attacks to law enforcement and will restore any reward points that were redeemed by the attackers. GM advises customers to use unique passwords for their online accounts going forward and highlights fraud prevention measures, specifically credit freezes and fraud alerts. GM customers with questions concerning the incident can call the toll-free phone number listed in the notice (PDF).