Malicious actors stole customer redeem points and personally identifiable information in a credential stuffing attack on General Motors (GM) last month.
According to a data breach notification letter sent to impacted customers, an unauthorized party gained access to user accounts on April 11-29, fraudulently redeeming customer reward points for gift cards and potentially exfiltrating personal data from card owners, including:
- first and last name, email address, physical address and username
- phone numbers for registered family members tied to the account
- last known saved favorite location information
- currently subscribed OnStar package (if applicable)
- family members’ avatars and photos (if uploaded) and profile pictures
- search destination information
- reward card activity and fraudulently redeemed reward points
“The GM accounts did not include data of birth, Social Security number, driver’s license number, credit card information or bank account information, as that information is not stored in your GM account,” the letter reads.
The US-based car manufacturer said the credentials used in the attack were not sourced from General Motors.
“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself,” the company said. “We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”
To mitigate the attack, General Motors suspended gift card redemption, forced a mandatory password reset for all impacted accounts, and pledged to restore all loyalty points.
It’s unclear how many GM customers were affected by the breach. However, the company is continuing the investigation alongside law enforcement, and providing all victims free credit monitoring for one year.
Earlier this week, we addressed risky cyber behaviors and how password reuse can affect your online privacy and security. We strongly urge users to stick to good online practices and immediately change weak passwords, especially those that are recycled among multiple online accounts and platforms.
Start securing your online presence today with Bitdefender’s Ultimate Security plan by taking care of your devices, data and finances. Get our best-in-class malware protection for up to 10 devices, a VPN for safe browsing and shopping, a password manager to help you create and use passwords that meet the highest security standards, and an identity theft protection plan with an exhaustive list of features including 24/7 data breach monitoring, credit score management, lost wallet assistance and much more.
Read more about our ultimate mega-suite here.