Do you own a Chevrolet, Buick, GMC, or Cadillac? If so, be aware that GM recently acknowledged that they fell victim to a credential stuffing attack a little over a month ago.
The attack exposed some customer information to the attackers and allowed them to redeem an undisclosed number of rewards points for gift cards.
The company said that they detected suspicious network activity between April 11th and April 29th of 2022. In a letter sent to those impacted by the breach, GM indicated that they would be restoring rewards points for everyone who was impacted.
While it's small consolation, it's worth noting that this isn't a case of the company being hacked. Credential stuffing attacks see the threat actors use many different usernames and passwords purchased from the Dark Web in a wholesale attempt to find a combination that will work on a given website. The company stressed that there is no evidence the attackers gained this information from GM's network itself.
If you were among the impacted customers, be aware that the following information was exposed:
- Customer first and last name
- Personal email address
- Personal physical address
- Username and phone number for registered family members tied to the account
- Last known and saved favorite location information
- Currently subscribed OnStar package (if applicable)
- Family members' avatars and photos (if uploaded)
- Profile picture
- And search & destination information
The attackers may have also gained access to less useful information such as car milage history, service history, Wi-Fi Hotspot settings, emergency contact information and the like.
As breaches go, this one wasn't as bad as many of the others we've heard about thus far this year. However, armed with the information above, a hacker would certainly have enough details to steal someone's identity. So be warned and stay vigilant.