Posted on May 25, 2022 at 8:38 AM
General Motors Hacked – Credential Stuffing Used To Access Customer Accounts
Major US carmaker General Motors (GM) has disclosed that it was a recent victim of a credential stuffing attack, which exposed some of its customers’ information. The car manufacturer also admitted that the attackers were able to redeem reward points for gift cards.
The company operates an online platform that enables owners of models like Buick, GMC, Buick, Chevrolet, and Cadillac to easily manage their services, bills, and redeem rewards points. The card owners can redeem GM rewards points for accessories, car service, buying OnStar service plans, as well as for GM vehicles.
According to GM, its security team discovered the malicious login activity between April 11 and April 29, 2022. In some cases, the hackers have already used the gift cards to redeem rewards points from the company’s portal.
In a data breach notification sent to the affected customers, the company stated that it was following up on the previous email to the customers, advising them of the data breach incident that used their rewards points without their authorization. GM stated that it will restore all affected rewards points, and they have nothing to worry about.
Breach Caused By Credential Stuffing
GM also disclosed that the breach was not a result of the company being hacked, but rather caused by a series of credential stuffing attacks that targeted customers on the platform.
Credential stuffing is a popular type of attack where threat actors collect usernames and passwords from previously exposed platforms to try and access the user account from other websites. The method is sometimes successful because some users have the same password or account detail on two or more platforms. Once one of the platforms is compromised, it allows the hackers to try the exposed accounts on other platforms where the same user may be operating.
“Based on the investigation to date, there is no evidence that the log-in information was obtained from GM itself,” GM explained in a separate notification to customers. The company added that some unauthorized were able to access custom login details that were initially leaked on other non-GM sites. After gaining access to these account details, they reused the credentials on the customer’s GM account. As a result, customers have been advised to reset their passwords before they log in to their accounts.
Customers’ Financial Details Are Not Included
The report revealed that the threat actors accessed certain information on the site after breaching a GM account. These include personal details like the customer’s address, personal email address, first and last name, profile picture, search and destination information, family members’ avatars and photos, currently subscribed OnStar package, as well as the username and phone number of a registered family member linked to the account.
Additionally, the hackers could be able to access other information like Wi-Fi hotspot settings, emergency contacts, service history, and car mileage.
However, the GM accounts do not contain social security numbers, the customer’s date of birth, credit card information, driver’s license number, or bank account information. This means the information regarding the customer’s financial details has not been compromised.
Lack Of Two-Factor Authentication Highlighted
GM’s online portal does not support two-factor authentication, which would have prevented the attack from succeeding on most of the customers. But the platform provides an option for customers to include a PIN that they must enter for all purchases. Those that utilize the option are more likely going to be protected than those that did not.
The attack and exposure is another example of the importance of two-factor authentication. With such an extra security feature, the attacker would find it more difficult to gain access to the accounts of the GM customers since they will be required to provide additional authentication for the account. While many platforms now offer a second authentication method, some platforms have failed to implement such security measures on their systems. This has exposed their customers to the risks of a data breach.
The exact number of customers impacted by the recent breach is not known. But General Motors noted that about 5,000 customers were impacted in California, based on a notification sample submitted to the Attorney General’s Office in the state.
Additionally, General Motors has advised affected customers to get credit reports from their banks and order a security freeze on their accounts if the need arises. The notice also has instructions on how to get the credit report and place a security freeze.