GM Drivers Struck With Credential Stuffing Cyberattack Exposing Personal Info
Research from earlier this year showed that hackers can remotely unlock and start Honda and Acura vehicles by exploiting a vulnerability in the remote keyless system. However, cybercriminals targeting the automotive industry don’t have to steal your car when they can steal something potentially more valuable: your data.
General Motors (GM), the automotive company behind the Chevrolet, Buick, GMC, and Cadillac brands, is alerting its customers to a series of cyberattacks targeting the company’s online platform. The notice disclosing the attacks warns of a data breach, but GM says that there was no breach of its internal systems. As far as the automotive manufacturer can tell, threat actors carried out a credential stuffing attack on its user account platform.
Credential stuffing attacks take compromised user login credentials from various online services and enter them into a different service. The success of this kind of attack depends on users reusing the same username and password across multiple online accounts, which is why unique passwords are an important security measure. Unfortunately, some GM customers reused account credentials, and the attackers were able to use compromised user credentials to gain access to a subset of GM user accounts.
General Motors (GM), the automotive company behind the Chevrolet, Buick, GMC, and Cadillac brands, is alerting its customers to a series of cyberattacks targeting the company’s online platform. The notice disclosing the attacks warns of a data breach, but GM says that there was no breach of its internal systems. As far as the automotive manufacturer can tell, threat actors carried out a credential stuffing attack on its user account platform.
Credential stuffing attacks take compromised user login credentials from various online services and enter them into a different service. The success of this kind of attack depends on users reusing the same username and password across multiple online accounts, which is why unique passwords are an important security measure. Unfortunately, some GM customers reused account credentials, and the attackers were able to use compromised user credentials to gain access to a subset of GM user accounts.
GM detected suspicious login activity between April 11 and April 29 of this year, pointing to a series of credential stuffing attacks that went on for over two weeks. The attackers used access to customer accounts to redeem reward points for gift cards. GM’s notice also states that the attackers could have accessed the following personal information from compromised customer accounts:
- First and last name
- Personal email address
- Personal address
- Username and phone number for registered family members tied the account
- Last known and saved favorite location information
- Currently subscribed OnStar package (if applicable)
- Family member’s avatars and photos (if uploaded)
- Profile picture
- Search and destination information
- Reward card activity
