GM Discloses Data Breach of Cars' Locations, Mileage, Service
Hackers Could Know Where You’ve Been Driving: General Motors Discloses Data Breach
The Michigan carmaker says that a credential stuffing attack pilfered a pile of personal information from car owners. They hackers stole reward points, too.
ByLucas Ropek
5/24/22 2:59PM
Comments (15)
Alerts
Image for article titled Hackers Could Know Where You’ve Been Driving: General Motors Discloses Data Breach
Photo: Mario Tama (Getty Images)
General Motors suffered a hack that exposed a significant amount of sensitive personal information on car owners—names, addresses, phone numbers, locations, car mileage, and maintenance history.
The Detroit-based automaker revealed details of the incident in a breach disclosure filed with the California Attorney General’s Office on May 16. The disclosure explains that malicious login activity was detected on an unspecified number of GM online user accounts between April 11 and 29. Further investigation revealed that the company had been hit with a credential stuffing attack, which saw hackers infiltrate user accounts to steal customer reward points, which they then redeemed for gift cards. Credential stuffing is a rudimentary type of cyberattack that involves using lists of previously compromised login credentials to hack into online accounts. Such lists can be purchased with relative ease on the dark web.
Related Stories
This Hacker Group Forces People to Do Good to Get Their Data Back
Watch Now
Bees Are Fish Now, I Guess?
California Greenlights Nation's First Driverless Taxi Fleet
“We took swift action in response to the suspicious activity by suspending gift card redemption and notifying affected customers of these issues. We also took steps to require those customers to reset their passwords at their next log in, and we reported this incident to law enforcement,” the company says. Customers whose reward points had been abused were subsequently replenished with new reward points, the company added.
In addition to the reward points theft, the incident also exposed a significant amount of user information. GM’s breach notification lays out a full list of the information that may have been compromised by the hackers:
first and last name
personal email address
home address
username
phone number
last known and saved favorite location
OnStar package (if applicable)
family members’ avatars and photos
profile picture
search and destination information
reward card activity
fraudulently redeemed reward points
Oh okay, only that? Phew, for a minute I thought this breach might be big! The company has made it known that the stolen information did not include birthdays, social security numbers, credit card or bank information, or driver’s license numbers, since that information “is not stored in your GM account.” Good thing, too!
Acer
High-Tech Deals
Gizmodo
The Biggest Crypto Heists of 2022…So Far
Currys
APPLE MacBook Pro 16" (2021) - M1 Pro, 512 GB SSD, Silver
Gizmodo
Everything Apple Tried to Kill at WWDC 2022
RAPID ELECTRONICS
Pimoroni Pico Explorer Base
It’s unclear exactly how many customers were affected by this breach, though we know it’s more than 500 in California alone. California law requires that companies file public breach notifications to the OAG in cases where the number of state residents affected by the incident is greater than 500 people.
The Michigan carmaker says that a credential stuffing attack pilfered a pile of personal information from car owners. They hackers stole reward points, too.
ByLucas Ropek
5/24/22 2:59PM
Comments (15)
Alerts
Image for article titled Hackers Could Know Where You’ve Been Driving: General Motors Discloses Data Breach
Photo: Mario Tama (Getty Images)
General Motors suffered a hack that exposed a significant amount of sensitive personal information on car owners—names, addresses, phone numbers, locations, car mileage, and maintenance history.
The Detroit-based automaker revealed details of the incident in a breach disclosure filed with the California Attorney General’s Office on May 16. The disclosure explains that malicious login activity was detected on an unspecified number of GM online user accounts between April 11 and 29. Further investigation revealed that the company had been hit with a credential stuffing attack, which saw hackers infiltrate user accounts to steal customer reward points, which they then redeemed for gift cards. Credential stuffing is a rudimentary type of cyberattack that involves using lists of previously compromised login credentials to hack into online accounts. Such lists can be purchased with relative ease on the dark web.
Related Stories
This Hacker Group Forces People to Do Good to Get Their Data Back
Watch Now
Bees Are Fish Now, I Guess?
California Greenlights Nation's First Driverless Taxi Fleet
“We took swift action in response to the suspicious activity by suspending gift card redemption and notifying affected customers of these issues. We also took steps to require those customers to reset their passwords at their next log in, and we reported this incident to law enforcement,” the company says. Customers whose reward points had been abused were subsequently replenished with new reward points, the company added.
In addition to the reward points theft, the incident also exposed a significant amount of user information. GM’s breach notification lays out a full list of the information that may have been compromised by the hackers:
first and last name
personal email address
home address
username
phone number
last known and saved favorite location
OnStar package (if applicable)
family members’ avatars and photos
profile picture
search and destination information
reward card activity
fraudulently redeemed reward points
Oh okay, only that? Phew, for a minute I thought this breach might be big! The company has made it known that the stolen information did not include birthdays, social security numbers, credit card or bank information, or driver’s license numbers, since that information “is not stored in your GM account.” Good thing, too!
Acer
High-Tech Deals
Gizmodo
The Biggest Crypto Heists of 2022…So Far
Currys
APPLE MacBook Pro 16" (2021) - M1 Pro, 512 GB SSD, Silver
Gizmodo
Everything Apple Tried to Kill at WWDC 2022
RAPID ELECTRONICS
Pimoroni Pico Explorer Base
It’s unclear exactly how many customers were affected by this breach, though we know it’s more than 500 in California alone. California law requires that companies file public breach notifications to the OAG in cases where the number of state residents affected by the incident is greater than 500 people.
