GM Drivers Struck With Credential Stuffing Cyberattack Exposing Personal Info
General Motors (GM), the automotive company behind the Chevrolet, Buick, GMC, and Cadillac brands, is alerting its customers to a series of cyberattacks targeting the company’s online platform. The notice disclosing the attacks warns of a data breach, but GM says that there was no breach of its internal systems. As far as the automotive manufacturer can tell, threat actors carried out a credential stuffing attack on its user account platform.
Credential stuffing attacks take compromised user login credentials from various online services and enter them into a different service. The success of this kind of attack depends on users reusing the same username and password across multiple online accounts, which is why unique passwords are an important security measure. Unfortunately, some GM customers reused account credentials, and the attackers were able to use compromised user credentials to gain access to a subset of GM user accounts.
- First and last name
- Personal email address
- Personal address
- Username and phone number for registered family members tied the account
- Last known and saved favorite location information
- Currently subscribed OnStar package (if applicable)
- Family member’s avatars and photos (if uploaded)
- Profile picture
- Search and destination information
- Reward card activity