US automaker General Motors said it was the victim of a credential stuffing hack last month. As a result, information about some customers was disclosed, and hackers were able to exchange other people’s bonus points for gift cards.
According to documents filed by the company with the California Attorney General’s Office, about 5,000 users were affected by these attacks.Let me remind you that we wrote that Audi and Volkswagen customer data put on sale, and also that Bug in Honda cars allows remotely unlock and start a car.
General Motors operates an online platform where Chevrolet, Buick, GMC and Cadillac owners can manage their spending, services and redeem points. Car owners can redeem GM Points for GM vehicles, auto services, accessories, and purchase OnStar services.
The company says that credential stuffing attacks were observed between April 11 and April 29, 2022, and in some cases, the hackers succeeded in exchanging customer loyalty points for gift cards.
Let me remind you that the term credential stuffing usually refers to situations where usernames and passwords are stolen from some sites and then used on others. That is, attackers have a ready-made credential database (acquired on the dark web, collected on their own, and so on) and try to use this data to log in to any sites and services under the guise of their victims.
When the hackers successfully hacked into GM accounts, they were able to gain access to certain car owner information stored on the site, including:
- name and surname;
- email address;
- postal address;
- username and phone number for registered family members associated with the account;
- last known and saved location information;
- information about the OnStar subscription package (if active);
- avatars and photos of family members (if uploaded);
- profile picture;
- information about search and destinations.
Also, hackers could find out the car’s mileage history, service history, emergency contact information, Wi-Fi hotspot settings (including passwords), and much more. The company emphasizes that the accounts, fortunately, do not contain the date of birth, social security number, driver’s license number, bank card or account information.
General Motors says it will make sure to refund all lost loyalty points to customers. Users are now strongly encouraged to reset their passwords and request credit reports from their banks.