Car manufacturer General Motors has confirmed the credential stuffing attack it suffered last month exposed customers’ names, personal email addresses, and destination data, as well as usernames and phone numbers for family members tied to customer accounts.
Trucks come off the assembly line at GM’s Chevrolet Silverado and GMC Sierra pickup truck plant in Fort Wayne, Indiana
Other more personal information, including social security and credit card and bank account numbers, as well as drivers license data are not stored in customers’ GM accounts and were not laid bare, GM officials said in a letter [PDF] sent to customers this month.
According to the letter, in the 18 days between April 11 and April 29, the company detected suspicious logins to some GM online customer accounts, finding that threat actors had redeemed customer reward points for gift cards. Through a GM online platform, owners of cars brands including Chevrolet and Buick can manage their payments and services while building up and redeeming reward points.
After discovering the attack, GM suspended the reward feature on the account website and notified customers affected by the issue, telling them they would need to reset their passwords to get back into their online customer accounts. The company reported the breach to law enforcement agencies.
GM also is restoring the reward points for impacted customers.
Company officials said in the letter that the login information was not stolen from GM itself. Instead, the company was the victim of a credential stuffing attack, where cybercriminals use usernames and passwords stolen from one website and try to use them to log onto other sites. Some of these attacks use botnets to scale the number of sign-on attempts.
If successful, the attackers can use the credentials for myriad activities, such as using credit card data to make purchases, stealing gift cards saved on the customer’s account, using the information for phishing attacks or selling the login information and personal data to other bad actors.
News about the GM attack comes the same week that online wedding planning site Zola admitted that it, too, was the victim of a credential stuffing attack, with some customers complaining that bank accounts linked to the site were used to buy gift cards.
In January, New York Attorney General Letitia James issued a report from a months-long investigation into credential stuffing scams in that state, finding that credentials for more than 1.1 million online accounts at 17 companies – including retailers, restaurant chains and food delivery services – were compromised.
Credential stuffing attacks have added more fuel to the demand that companies move past passwords as the primary user authentication method for securing online accounts, with critics saying they are too easy to break and leave sensitive customer data vulnerable to being exposed and stolen.
“We’ve long since past the point where multifactor authentication should be the default option for any user’s account, especially for public websites that allow customer chosen passwords,” Chris Clements, vice president of solutions architecture for cybersecurity firm Cerberus Sentinel, told The Register in an email.
“Not even password complexity requirements are enough to effectively combat credential stuffing as users often reuse the same password across multiple services. It doesn’t matter how long or complex a password is if it’s reused in numerous places and stolen from a third-party.”
Organizations that provide online customer accounts should by default support more secure account protection mechanisms, including multifactor authentication (MFA) or standards developed by the FIDO Alliance, Clements said.
“Defaults matter,” he added. “Most users won’t stray from the initial account setup process unless they have good reason to. Defaulting to enabling MFA on all user accounts may add an extra step to user onboarding, but the additional security protection it brings really is a night and day difference.”
Uriel Maimon, vice president of emerging products at cybersecurity vendor PerimeterX, told The Register in an email that the attacks on GM and Zola show that credential stuffing attacks “continue to fuel the web attack lifecycle, potentially using these stolen user credentials on other e-commerce sites. We can expect that these credentials will soon be tested on other apps that we use daily to power our lives.”
“The responsibility lies on app providers and website owners to make it difficult and expensive for cybercriminals to use the information in order to disrupt the cycle of attacks,” Maimon said. “This means stopping the theft, validation and fraudulent use of account and identity information everywhere along a consumer’s digital journey.”
He noted that malicious login attempts out of total logins grew during 2021, reaching 93.8 percent of all login attempts in August, an 8 percent increase over the 2020 peak.
In their letter, GM officials suggested that beyond resetting their GM password, customers should not use the same passwords for different accounts and that they update any duplicate passwords. In addition, they gave customers a list of best practices for protecting personal information and recommendations from the Federal Trade Commission for protecting identities, placing a fraud alert or putting a security freeze on a credit file.
They also can place an initial or extended fraud alert on their credit card. ®