US automobile manufacturer General Motors (GM) announced that it was hit by a credential stuffing attack last month that exposed customer information and allowed hackers to redeem rewards points for gift cards.
GM said that they detected the malicious login activity between April 11-29 2022.
"We are writing to follow-up on our [DATE] email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorization," GM said in a data breach notification sent to affected customers.
A credential stuffing attack is a cyber-attack in which credentials obtained from a previous data breach on one service are used to attempt to log in to another unrelated service.
"Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself," GM said in a different data breach notification.
"We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer's GM account."
The personal information of affected customers includes first and last names, personal email addresses, home addresses, usernames and phone numbers for registered family members tied to the account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members' avatars and photos (if uploaded), profile pictures and search and destination information.
Other information available to hackers included car mileage history, service history, emergency contacts and Wi-Fi hotspot settings (including passwords).
Apart from resetting their passwords, GM advised affected individuals to request credit reports from their banks and place a security freeze if required.
GM also confirmed that hackers redeemed customer reward points for gift cards in certain cases.
GM operates an online platform that assists owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage their bills and redeem rewards points.
GM added that it will be restoring rewards points for all affected customers.