General Motors has announced that certain customer accounts have been accessed by unauthorized individuals. Between April 11 and April 29, 2022, suspicious logins were detected in customer accounts. The investigation revealed unauthorized individuals accessed certain customer accounts and redeemed their reward points for gift vouchers. The compromised accounts contained information such as names, addresses, dates of birth, personal email addresses, phone numbers, usernames, driver’s license numbers, Social Security numbers, credit card/bank account information, and the contact information of family members linked to accounts.
General Motors said when the security incident was detected, the reward program on the website was suspended. A password reset was also performed, and notifications were sent to customers advising them that they would need to change their password to get back into their accounts. Any customers who had their rewards points exchanged will have the points restored.
General Motors explained in its notification letters that it was not the victim of a cyberattack, rather this was a credential stuffing attack targeting its customers. Credential stuffing attacks involve using usernames and passwords stolen in a data breach to try to log in to accounts at an unrelated company. Credential stuffing attacks rely on poor password practices – the reusing of usernames and passwords on multiple platforms.
Most accounts require a username to be set, which is often an individual’s primary email address. If the same password is set for multiple accounts that share the same username, a breach at one allows access to the accounts on all other sites where the password has been reused. It is not clear where the breach occurred that provided the attackers with the credentials they needed to attack GM customers; however huge lists of compromised credentials are often traded on hacking forums. Another credential stuffing attack occurred this week at Zola, an online wedding planning site, and the attackers also purchased gift cards, in that incident they used funds in linked bank accounts.
If users set a unique password for all accounts, credential stuffing attacks do not work. Since most people have dozens of accounts on a wide range of platforms, it is not possible to create strong, unique passwords for all of those sites and be able to remember them without writing them down or storing them on a computer. The best option is to use a password manager solution. Password managers, such as Bitwarden, incorporate secure password and username generators, which will allow a unique username and a unique complex password to be set for all accounts. The usernames and passwords are stored in an encrypted password vault and users only need to set and remember one complex password or passphrase for their password vault. The passwords in their vault will be automatically filled in when the user visits the relevant website.
Password managers are low-cost security solutions, and free tiers are available for consumers with some vendors. They offer users the opportunity to improve security, prevent credentials stuffing and other brute force attacks, and allow them to keep their accounts and sensitive information private and confidential.