GM drivers may have had personal details revealed following phishing attack

(Image credit: Shutterstock / song_about_summer)

A large number of General Motors (GM) user accounts have been breached, and their personally identifiable information (opens in new tab) stolen, the company has confirmed in a recent announcement sent to affected customers. What’s more, the cybercriminals behind the attack tried to redeem rewards points found on those accounts, for gift cards.

GM users have had their accounts compromised with a credential stuffing attack that took place between April 11 and April 29. This is a brute force type of attack, in which the attackers try numerous combinations of usernames and passwords until one works. Sometimes, the attackers will also try username/password combinations stolen from other breached services, knowing that some people reuse the same credentials across a multitude of services.

The exact number of affected customers is unknown, although just in the state of California there are thought to have been around 5,000 victims. 

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab)

Share your thoughts on Cybersecurity and get a free copy of the Hacker's Manual 2022 (opens in new tab). Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey (opens in new tab) to get the bookazine, worth $10.99/£10.99.

No credit card data stolen

GM also says that this means its infrastructure was not tampered with, nor compromised.

"Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself," GM was cited as saying in an announcement.

"We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer's GM account."

In the breached accounts, the cybercriminals got access to things like full names, email addresses, physical addresses, phone numbers of family members, last known and favorite locations, as well as search and destination information. Car mileage history, service history, and emergency contracts, were also on display. 

Things like Social Security numbers, driver’s license numbers, credit card information or bank account information were not compromised, as GM does not store this data, the company confirmed.

Since the attack, GM asked its users to reset their passwords (opens in new tab), and told impacted customers to request credit reports from their banks. 

Just as with Zola, whose customers have had their accounts compromised following a credential stuffing attack, General Motors does not support two-factor authentication (opens in new tab), BleepingComputer states. Users can add a PIN that needs to be inputted for every purchase, though. 

“Businesses need to understand passwords are the vulnerability,” commented Patrick McBride, CMO at Beyond Identity. It is no longer adequate to pass the blame off on customers because their passwords were obtained elsewhere. Businesses can mitigate the password vulnerability today, by using unphishable MFA. It is well beyond the time to blame users for the failures of businesses that don’t use adequate authentication methods when they already exist.”

Via: BleepingComputer (opens in new tab)

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.