U.S. automobile manufacturer General Motors (GM) has alerted customers of a data breach due to a credential stuffing attack last month. The attack exposed customers’ private information and allowed hackers to redeem reward points for gift cards. 

A credential stuffing attack is a type of cyberattack in which attackers collect stolen account credentials, such as usernames and passwords, to breach into a system. 

According to the data breach notification, GM detected the malicious log-in activity between April 11 and April 29, and upon discovery, GM suspended the redemption of customer rewards points for gift cards and notified those affected by the breach. 

Based on the investigation, GM says there is no evidence that log-in information was obtained from GM itself. “We believe that unauthorized parties gained access to customer log-in credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account,” GM says. 

Through this malicious activity, attackers may have gained access to “limited” personal information of GM online or mobile application accounts, including the users’ first and last name, personal email address, personal address, username and phone number for registered family members tied to your account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile picture, search and destination information, reward card activity, and fraudulently redeemed reward points. The breached GM accounts did not include date of birth, Social Security number, driver’s license number, credit card 2 information, or bank account information, as that information is not stored in the GM account, GM says. 

Credential stuffing is one of the most common forms of cyberattack and a widespread security risk for organizations of all types. A Ponemon Institute and Akamai report, The Cost of Credential Stuffing 2017, found that, on average, organizations lose an average of $6 million per year to credential stuffing in the form of application downtime, lost customers and increased IT costs. In 2020, Help Net Security researchers detected 193 billion credential stuffing attacks globally. 

According to F5 Labs, in 2018 and 2019, the combined threats of phishing and credential stuffing made up roughly half of all publicly disclosed breaches in the United States. “Stolen credentials are so valuable that demand for them remains enormous, creating a vicious circle in which organizations suffer both network intrusions in pursuit of credentials and credential stuffing in pursuit of profits,” F5 researchers Sander Vinberg and Jarrod Overson explain. 

And while credential stuffing attacks are old, Chris Olson, CEO of The Media Trust, says these attacks remain effective, especially when combined with modern attack techniques. “After obtaining a set of user credentials through one platform, attackers will attempt to use them on another. Today, they will also use bots to bypass security protections against multiple log-in attempts such as captcha, time delays and IP banning,” which can make detection and prevention a real challenge. 

“Ultimately, today’s organizations bear a responsibility to protect their users from misuse of compromised data,” Olson says. “Those who put consumers first through digital trust and safety initiatives will see tangible improvements in their bottom line and overall reputation.”