The automotive company General Motors (GM) was the victim of a credential stuffing attack that ran from April 11th through April 29th. Credential stuffing attacks are when threat actors use collections of username and password combinations leaked in other sites’ data breaches to gain access to user accounts on a website. It was confirmed that the threat actors were able to breach the accounts of multiple customers and gain access to their data. The information included names, addresses, phone numbers, locations, pictures, search information, and access to their rewards points, which in many cases were traded in for gift cards by the threat actors.
GM has made all affected individuals aware of the attack and is taking the proper steps to apply additional security controls to avoid additional attacks in the future. They are also refunding all stolen rewards points to their customers. In this case, information such as Social Security numbers, credit card data, and dates of birth were not stolen, so it is unlikely that credit fraud will result from this attack. Anyone affected, or that has an account with GM, should change their password immediately. It is recommended to never reuse passwords across different accounts or use common words within passwords that are easy to guess. Anytime a new account is created the creator should enable Multi-Factor Authentication (MFA) using a trusted third-party app. SMS messages should be avoided when setting up MFA because threat actors could potentially steal those codes, but if it is the only option, it should still be used.