A large number of General Motors (GM) user accounts have been breached, and their personally identifiable information (opens in new tab) stolen, the company has confirmed in a recent announcement sent to affected customers. What’s more, the cybercriminals behind the attack tried to redeem rewards points found on those accounts, for gift cards.
GM users have had their accounts compromised with a credential stuffing attack that took place between April 11 and April 29. This is a brute force type of attack, in which the attackers try numerous combinations of usernames and passwords until one works. Sometimes, the attackers will also try username/password combinations stolen from other breached services, knowing that some people reuse the same credentials across a multitude of services.
The exact number of affected customers is unknown, although just in the state of California there are thought to have been around 5,000 victims.
No credit card data stolen
GM also says that this means its infrastructure was not tampered with, nor compromised.
“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself,” GM was cited as saying in an announcement.
“We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”
In the breached accounts, the cybercriminals got access to things like full names, email addresses, physical addresses, phone numbers of family members, last known and favorite locations, as well as search and destination information. Car mileage history, service history, and emergency contracts, were also on display.
Things like Social Security numbers, driver’s license numbers, credit card information or bank account information were not compromised, as GM does not store this data, the company confirmed.
Since the attack, GM asked its users to reset their passwords (opens in new tab), and told impacted customers to request credit reports from their banks.
Just as with Zola, whose customers have had their accounts compromised following a credential stuffing attack, General Motors does not support two-factor authentication (opens in new tab), BleepingComputer states. Users can add a PIN that needs to be inputted for every purchase, though.
“Businesses need to understand passwords are the vulnerability,” commented Patrick McBride, CMO at Beyond Identity. It is no longer adequate to pass the blame off on customers because their passwords were obtained elsewhere. Businesses can mitigate the password vulnerability today, by using unphishable MFA. It is well beyond the time to blame users for the failures of businesses that don’t use adequate authentication methods when they already exist.”