General Motors reports “suspicious activity” within certain GM accounts

The multinational American auto manufacturer General Motors (GM) has suffered what appears to be a credential stuffing attack, affecting a limited number of GM MyAccounts.

The firm said it observed suspicious activity within 65 GM ‘MyAccounts’ and identified purchase activity on those accounts from the GM accessories website.

The breach occurred on May 18th, 2024, and was discovered on May 24th, 2024.

The GM accessories website sells various automotive-related products, such as branded pens, backpacks, gloves, jewelry, and even teddy bears.

GM said an unauthorized party used the accounts to buy items without customer authorization.

The company launched an investigation, and they believe that unauthorized parties obtained access to login credentials through an unrelated data leak.

The company suspects that the GM MyAccount holders may have reused these compromised credentials without knowing that they were compromised.

This is known as a credential stuffing attack, in which a threat actor uses stolen account credentials to access different accounts.

GM said that through this suspected credential stuffing activity, the threat actors could have obtained certain personal information, including:

  • First and last names
  • Personal address
  • Phone numbers
  • Payment card information (last four digits of credit card number)
Personal data leak checker

Check whether your online credentials have been compromised with an up-to-date personal data leak checker tool.

Check if your data has been compromised

However, the company expressed that there’s no evidence that any of the information has been misused and explicitly stated that the GM MyAccount information did not include dates of birth, Social Security numbers, or driver's license information.

Upon discovery, GM launched forced password resets to the 65 affected accounts, activated multi-factor authentication, and reported the incident to relevant law enforcement agencies.

The company also refunded the unauthorized payments found within the affected accounts from the GM Accessories website.

It’s unknown how much the threat actor purchased, but the products on the GM accessories website can range from $4 to almost $4,000.

GM said there’s no evidence that login credentials were taken directly from the company – lending to the theory that this was likely a credential-stuffing attack.

Credential stuffing attacks are easy to facilitate, especially when large databases of compromised credentials are openly available for purchase on dark web forums.

An example of this is the recent RockYou2024 database that surfaced on a dark web forum. Cybernews researchers discovered what appeared to be the largest password compilation with a staggering 9,948,575,739 unique plaintext passwords.

If exploited, this type of database could be used to log in to compromised accounts, allowing cybercriminals to commit fraud and engage in other illegal activities.