25 May 2022

US automaker General Motors hit with credential stuffing attack


US automaker General Motors hit with credential stuffing attack

US automobile manufacturer General Motors (GM) disclosed a credential stuffing attack that exposed customer information.

In a letter to affected customers the car giant explained that between April 11, 2022 and April 29, 2022 an unauthorized party gained access to some GM online customer accounts potentially accessing addresses, phone numbers and other personal information. GM also confirmed that the attackers redeemed customer reward points for gift cards in some cases.

“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself,” GM said in a data breach notification. “We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer's GM account.”

According to the automobile manufacturer, hackers could have gained access to limited personal information of customers’ GM online or mobile application accounts, such as first and last name, personal email address, personal address, username and phone number for registered family members tied to the account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile picture, search and destination information, reward card activity.

Social Security numbers and driver’s license details weren’t compromised, the company said.

GM did not reveal how many accounts were compromised, but recommended customers to reset their passwords and use unique credentials for each website.

Back to the list

Latest Posts

Researchers uncovered undetectable malware linked to Russia's APT

Researchers uncovered undetectable malware linked to Russia's APT

According to a recent report published by Palo Alto Networks, new piece of malware currently evades 56 antivirus products.  
6 July 2022
New ransomware operation RedAlert puts victims on a "board of shame"

New ransomware operation RedAlert puts victims on a "board of shame"

At this point, only one victim is listed on the RedAlert’s data leak website, indicating that the development is very new.
6 July 2022
Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Microsoft silently issued a fix for ‘ShadowCoerce’ NTLM Relay attack

Despite patching the flaw, Microsoft hasn’t provided any details about it and assigned a CVE ID yet.
6 July 2022