A number of General Motors (GM) user accounts and personally identifiable information have been compromised. (Opens in a new tab) If it was stolen, the company confirmed in a recent announcement it sent to affected customers. What’s more, the cybercriminals behind the attack tried to redeem the reward points they found in the account as gift cards.
A GM user’s account was compromised in a credential stuffing attack that took place between April 11th and April 29th. This is a type of brute-force attack in which an attacker tries various combinations of username and password until it works. Sometimes attackers try to steal username/password combinations from other compromised services. I know some people reuse the same credentials across multiple services.
The exact number of customers affected is unknown, but it is thought that approximately 5,000 victims were killed in California alone.
No credit card data theft
GM also says this means that the infrastructure has not been tampered with or damaged.
In a statement, GM said, “There is no evidence that GM itself obtained login information as a result of the investigation so far.”
“We believe that an unauthorized party previously accessed compromised customer login credentials on a non-GM site and then reused those credentials in the customer’s GM account.”
The compromised account gave the cybercriminal access to information such as name, email address, physical address, family phone number, last known and favorite locations, and search and destination information. Car mileage history, service history, and emergency contracts were also displayed.
Because GM does not store this data, the company confirmed that information such as social security numbers, driver’s license numbers, credit card information or bank account information was not compromised.
After the attack, the GM asked the user to reset their password. (Opens in a new tab)Directed the affected customer to request a credit report from the bank.
Like Zola, where a customer’s account was compromised by a credential stuffing attack, General Motors does not support two-factor authentication. (Opens in a new tab), blipping computer state. Users can add a PIN that must be entered for each purchase.
“Businesses need to understand that passwords are a weakness,” said Patrick McBride, CMO of Beyond Identity. Because the customer’s password was obtained from another source, it is not appropriate to pass the responsibility on to the customer any further. Businesses today can use non-phishing MFA to mitigate password vulnerabilities. Blaming users for failing to use the proper authentication methods that already exist is far beyond the time.”