Mass General Motors (GM) User Accounts Hacked, Their Personally Identifiable Information (opens in new tab) stolen, the company has confirmed in a recent announcement sent to affected customers. What’s more, the cybercriminals behind the attacks attempted to redeem reward points found on these accounts for gift cards.
The accounts of GM users were subject to credential stuffing attacks between April 11 and April 29. This is a type of brute force attack where the attacker tries multiple username and password combinations until one succeeds. Attackers also sometimes try username/password combinations stolen from other compromised services, knowing that some people will reuse the same credentials across numerous services.
The exact number of affected customers is not known, although there are believed to be around 5,000 victims in California alone.
No credit card data stolen
GM also said that means its infrastructure has not been tampered with or compromised.
“Based on the investigation to date, there is no evidence that the login information was obtained from GM itself,” GM was quoted as saying in a statement.
“We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other, non-GM websites, and then reused those credentials on the customer’s GM account.”
From a compromised account, cybercriminals can access information such as full names, email addresses, physical addresses, phone numbers of family members, last known and favorite locations, and search and destination information. Vehicle mileage history, service history, and emergency contracts are also shown.
The company confirmed that information such as Social Security numbers, driver’s license numbers, credit card information or bank account information was not leaked because GM does not store such data.
GM asks its users to reset passwords since attack (opens in new tab)and told affected customers to request a credit report from their bank.
Just like Zola’s customer had accounts stolen after credential stuffing attack, GM doesn’t support two-factor authentication (opens in new tab), Bilibili computer state. However, users can add a PIN that is required for each purchase.
“Businesses need to understand that passwords are vulnerabilities,” commented Patrick McBride, chief marketing officer at Beyond Identity. Since the customer’s password is obtained elsewhere, it is no longer sufficient to pass the buck to the customer. Today, businesses can mitigate password vulnerabilities by using MFA that is not phishing. It’s far beyond the time to blame users for the failure of businesses that don’t use adequate authentication methods when they already exist. “