General Motors sufferes Credential Stuffing

General Motors (GM) has said it has suffered a credential stuffing attack. During the attack customer information and reward points were stolen on the online platform used by Chevrolet, Buick, GMC, and Cadillac vehicles to manage their bills and services.

GM disclosed that it detected the malicious login activity between last month and confirmed that the threat actors exchanged customer reward bonuses of some customers for gift certificates.

GM contacted victims of the breach, advising them to follow instructions to recover their GM account. GM is also forcing affected users to reset their passwords before logging in to their accounts again. In the notification for affected customers, GM said it will be restoring rewards points for all customers affected by this breach.

Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.

GM Statement

Attackers could have accessed the following Personally PII of a compromised user:

• First and last name
• Email address
• Physical address
• Username and phone number for registered family members tied to the account
• Last known and saved favorite location information
• Search and destination information

To mitigate these type of attacks

• Use MFA
• Stop reusing passwords
• Use unique password with strong complexity