General Motors suffered a hack that exposed a significant amount of sensitive personal information on car owners—names, addresses, phone numbers, locations, car mileage, and maintenance history.
The Detroit-based automaker revealed details of the incident in a breach disclosure filed with the California Attorney General’s Office on May 16. The disclosure explains that malicious login activity was detected on an unspecified number of GM online user accounts between April 11 and 29. Further investigation revealed that the company had been hit with a credential stuffing attack, which saw hackers infiltrate user accounts to steal customer reward points, which they then redeemed for gift cards. Credential stuffing is a rudimentary type of cyberattack that involves using lists of previously compromised login credentials to hack into online accounts. Such lists can be purchased with relative ease on the dark web.
“We took swift action in response to the suspicious activity by suspending gift card redemption and notifying affected customers of these issues. We also took steps to require those customers to reset their passwords at their next log in, and we reported this incident to law enforcement,” the company says. Customers whose reward points had been abused were subsequently replenished with new reward points, the company added.
In addition to the reward points theft, the incident also exposed a significant amount of user information. GM’s breach notification lays out a full list of the information that may have been compromised by the hackers:
- first and last name
- personal email address
- home address
- username
- phone number
- last known and saved favorite location
- OnStar package (if applicable)
- family members’ avatars and photos
- profile picture
- search and destination information
- reward card activity
- fraudulently redeemed reward points
Oh okay, only that? Phew, for a minute I thought this breach might be big! The company has made it known that the stolen information did not include birthdays, social security numbers, credit card or bank information, or driver’s license numbers, since that information “is not stored in your GM account.” Good thing, too!
It’s unclear exactly how many customers were affected by this breach, though we know it’s more than 500 in California alone. California law requires that companies file public breach notifications to the OAG in cases where the number of state residents affected by the incident is greater than 500 people.