Cyber Incident Victim: General Motors
Date:
Apr 2022
Location:
United States of America
Summary
General Motors experienced a credential stuffing attack where attackers used compromised credentials from other sources to access customer accounts, leading to unauthorized redemption of rewards points for gift cards. Exposed information included names, email and physical addresses, phone numbers, family member details, location data, service histories, and vehicle-related settings. The company restored affected rewards points and mandated password resets for impacted users. While sensitive financial and identification data remained uncompromised due to its absence from the accounts, the breach highlighted vulnerabilities from the lack of two-factor authentication on the platform.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
General Motors experienced a credential stuffing attack targeting its online customer platform between April 11 and April 29, 2022. The attackers exploited username and password combinations previously leaked from non-GM websites to gain unauthorized access to customer accounts. GM detected the malicious login activity during this period and confirmed that threat actors redeemed rewards points for gift cards in some instances. The company notified affected customers through data breach letters, clarifying that the compromise resulted from reused credentials rather than a direct breach of GM's systems. Investigators found no evidence that login credentials originated from GM's infrastructure. The platform, used by owners of Chevrolet, Buick, GMC, and Cadillac vehicles, allowed customers to manage bills, services, and rewards points redeemable for vehicles, accessories, or OnStar plans. GM restored all fraudulently redeemed rewards points and mandated password resets before affected users could regain account access.
Successful account breaches exposed multiple categories of personal information including first and last names, personal email addresses, physical addresses, and phone numbers. Attackers also accessed usernames and phone numbers of registered family members, saved location data, active OnStar subscriptions, profile/family member photos, vehicle mileage/service histories, emergency contacts, and Wi-Fi hotspot settings with passwords. The compromised data extended to search histories and destination information stored in accounts. GM confirmed its systems did not store or expose Social Security numbers, driver's licenses, dates of birth, credit card details, or bank account information. The company advised impacted customers to review credit reports and consider security freezes despite the absence of financial data exposure. California's Attorney General received notifications for just under 5,000 affected state residents, though GM did not disclose total impacted accounts globally. The platform lacked two-factor authentication at the time of the incident, relying solely on password-based authentication supplemented by optional purchase PINs.