Vehicle manufacturer General Motors Co. has been targeted in a credential stuffing attack that exposed the information of some customers and allowed those behind the attack to redeem rewards points for gift cards.
According to a May 16 breach notice from GM, the company detected suspicious logins to certain GM online customer accounts between April 11 and April 29. GM also identified recent redemption of customer rewards points for gift cards that may have been performed without customer authorization.
GM subsequently suspended the feature on the account website and then notified affected customers, including telling them to reset their passwords. GM also reported the activity to law enforcement.
Indicating that the attack involved credential stuffing, GM said it believes unauthorized parties gained access to customer login credentials that were previously compromised on non-GM sites.
Limited personal information could have been accessed in the attack, including first and last name, email address, personal address, username and details of family members tied to an account. Search and destination information, car mileage history, service history and other vehicle-related data may have also been compromised.
How many customers were exposed to the attack was not disclosed, although Bleeping Computer reported Monday that the number in California is below 5,000. It’s reported that GM did not use multifactor authentication for customers logging into their accounts.
“Exploiting password reuse for credential stuffing is a common attack vector for many data breaches and ransomware,” Rajiv Pimplaskar, chief executive of virtual private network provider Dispersive Holdings Inc., told SiliconANGLE. “To protect against such attacks, the use of multifactor authentication is recommended.”
Chris Clements, vice president of solutions architecture at the information technology service management company Cerberus Cyber Sentinel Corp., noted that multifactor authentication should be the default option for any user’s account, especially for public websites that allow customer-chosen passwords.
“Not even password complexity requirements are enough to effectively combat credential stuffing as users often reuse the same password across multiple services,” Clements explained. “It doesn’t matter how long or complex a password is if it’s reused in numerous places and stolen from a third party.”