General Motors customers have become victims of the credential stuffing attack


The American automaker General Motors reported that last month it was the victim of a credential substitution attack, as a result of which attackers stole information about some customers and exchanged their bonus points for gift certificates.

General Motors has an online platform where owners of Chevrolet, Buick, GMC and Cadillac cars can manage their accounts and services and exchange bonus points for GM cars, car service, accessories and payment for the OnStar service plan.

According to the company, GM discovered malicious activity on April 11-29, 2022 and found out that hackers exchanged bonuses of some customers for gift certificates. The automaker notified all affected customers and promised to restore their bonus points.

The incident was not the result of hacking General Motors, but an attack with the substitution of credentials, also known as credential stuffing. In other words, the attackers used previously leaked usernames and passwords from other sites and used them to try to log in to the GM online platform. In some cases, the credentials came up, and hackers were able to gain access to these accounts.

“We believe that unauthorized attackers gained access to user credentials that were compromised earlier on other sites unrelated to GM, and then used them to access GM customer accounts,” the company said.

By hacking accounts, hackers could gain access to user information stored on the site, such as first and last names, email addresses and residential addresses, user names and phone numbers of registered family members linked to the account, data on the last location and frequently visited places, the current OnStar tariff, photos of family members, profile photos and information about finding a destination. In addition, the attackers could see data on the mileage of the car, the service history in car services, emergency contacts, Wi-Fi access point settings (including passwords), etc.

GM customer accounts do not store dates of birth, social security numbers, driver’s license numbers, credit card details and banking information.

Unfortunately for GM customers, the company’s online platform does not support two-factor authentication, which would prevent credential substitution attacks.

Start a discussion …