Exploit: Credential Stuffing
General Motors (GM): Automobile Manufacturer
Risk to Business: 2.872 = Moderate
General Motors (GM) has announced that it was hit by a credential stuffing attack last month that exposed customer information. GM said that they detected the malicious login activity between April 11-29, 2022, and that hackers obtained access through credential stuffing. GM said in a statement “We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.” The bad actors also redeemed loyalty points from some customers’ accounts for gift cards.
Risk to Individual: 2.583 = Moderate
Customer data that was exposed in this incident includes first and last names, personal email addresses, home addresses, usernames and phone numbers for registered family members tied to the account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile pictures and search and destination information, car mileage history, service history, emergency contacts and Wi-Fi hotspot settings (including passwords).
How it Could Affect Your Customers’ Business: Dark web data is a credential compromise hazard that can bite any business big or small leading to a data exposure disaster.
Source: Info Security Magazine