US automobile manufacturer General Motors (GM) disclosed a credential stuffing attack that exposed customer information.
In a letter to affected customers the car giant explained that between April 11, 2022 and April 29, 2022 an unauthorized party gained access to some GM online customer accounts potentially accessing addresses, phone numbers and other personal information. GM also confirmed that the attackers redeemed customer reward points for gift cards in some cases.
“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself,” GM said in a data breach notification. “We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer's GM account.”
According to the automobile manufacturer, hackers could have gained access to limited personal information of customers’ GM online or mobile application accounts, such as first and last name, personal email address, personal address, username and phone number for registered family members tied to the account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile picture, search and destination information, reward card activity.
Social Security numbers and driver’s license details weren’t compromised, the company said.
GM did not reveal how many accounts were compromised, but recommended customers to reset their passwords and use unique credentials for each website.