American automaker General Motors (GM) disclosed that it suffered a credential stuffing attack in April 2022.
According to a data breach notification filed with California’s Attorney General, the attackers accessed customers’ personally identifiable information (PII) and redeemed reward points for gift cards.
The company also clarified that the attack did not expose customers’ financial information such as credit card and social security numbers, bank account information, driver’s license numbers, and birth dates.
General Motors detected malicious login activity to customers’ accounts between April 11 and April 29.
The company responded by deactivating the reward feature and notifying customers and law enforcement authorities.
The compromised system allows Buick, Chevrolet, GMC, and Cadillac owners to manage their services and payments while accumulating and redeeming reward points.
Attackers accessed troves of personal information
The filing states that the attackers potentially accessed customers’ first and last names, email and physical addresses, last favorite location saved, and search and destination information.
Where applicable, attackers probably accessed the customer’s OnStar package subscriptions, GM customer’s profile picture, family members’ avatars or photos, and the phone number for registered family members associated with the user account.
Similarly, the breach exposed information on car mileage and service history, emergency contacts, Wi-Fi hotspot settings and passwords, and other details.
GM advised customers to reset their passwords and monitor their credit reports for potential fraud. Customers are entitled to one free credit report from Experian, Equifax, and Trans Union.
Additionally, the company recommended other mitigations, such as avoiding password reuse and changing passwords on other online accounts.
The company also promised to restore customers’ reward points that the threat actors withdrew.
A third-party data breach caused the credential stuffing attack on General Motors
The credential stuffing attack on General Motors did not exploit any vulnerability in the company’s systems. Instead, it resulted from ongoing credential stuffing attacks targeting GM customer accounts. General Motors said attackers obtained the stolen credentials from third parties.
“Based on the investigation to date, there is no evidence that the login information was obtained from GM itself,” the data breach notification (PDF) to customers read.
A credential stuffing attack involves threat actors leveraging account credentials leaked in another data breach to gain access to a different online platform. A leaked username/password pair costs a few dollars to buy on the underground markets.
However, compromised personally identifiable information costs the company about $180 to fix, according to IBM’s Cost of a Data Breach 2021 report.
“Websites have been hacked and credentials stolen and posted, often first on the dark web and later in more public forums,”’ Matt Carpenter, Principal at GRIMM, said. “Sometimes exceedingly large websites have been hacked (Facebook, TJX, Netflix, LinkedIn, etc….). In 2020, even a site that tracked stolen credentials was hacked to capture billions of credentials.”
Password reuse is the primary factor in a credential stuffing attack. According to the 2019 Google Online Security Survey, 52% of users reuse the same password across multiple websites.
“In [a] web application with basic security measures in place, brute force attacks are likely to fail, while credential stuffing attacks can often succeed,” Christopher Prewitt, Chief Technology Officer, MRK Technologies, said. “The reason is that even if you enforce strong passwords, users may share that password across services, leading to a compromise.”
A credential stuffing attack relies on automation and requires minimal technical skills once account passwords and emails match. Multifactor authentication (MFA) is usually effective in stopping a credential stuffing attack. However, GM accounts do not support this security feature.
“Kudos to GM for identifying this activity and taking action on it,” Carpenter said. “I don’t know when the emails notified consumers, but the letters were dated two and a half weeks after April 29th.
“Of course, the sooner consumers can be notified, the better, but GM “stopped the bleeding” by disabling the exploited feature, and they promised to restore any stolen credit (even though GM still had to pay out for the breach).”
General Motors’ data breach affected about 5,000 customers in California
General Motors’ data breach notification did not disclose the number of victims compromised in the credential stuffing attack.
However, the filing indicated that the automaker notified 5,000 victims in California. GM also disclosed that 140 customer reward accounts were compromised.
Unlike most states, California requires mandatory data breach reporting when an attack affects more than 500 people. The absence of similar nationwide data breach reporting laws undermines efforts to fight cybercrime.