US automobile behemoth General Motors (GM) has confirmed that it suffered a credential stuffing attack last month.
GM said that it detected malicious login activity between April 11-29 2022, resulting in the exposure of customer information and allowing hackers to redeem gift card reward points.
GM sent a data breach notification to affected customers, saying:
“We are writing to follow-up on our [DATE] email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorization.”
In a separate data breach notification, GM speculated on the cause of the attack:
“Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself. We believe that unauthorized parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account.”