A credential stuffing attack is a type of cyberattack in which attackers collect stolen account credentials, such as usernames and passwords, to breach into a system.
Detroit-based automaker revealed details of the incident in a breach disclosure filed with the California Attorney General’s Office on May 16. The disclosure explains that malicious login activity was detected on an unspecified number of GM online user accounts between April 11 and 29. Further investigation revealed that the company had been hit with a credential stuffing attack, which saw hackers infiltrate user accounts to steal customer reward points, which they then redeemed for gift cards. Credential stuffing is a rudimentary type of cyberattack that involves using lists of previously compromised login credentials to hack into online accounts. Such lists can be purchased with relative ease on the dark web.
Through this malicious activity, attackers may have gained access to “limited” personal information of GM online or mobile application accounts, including the users’ first and last name, personal email address, personal address, username and phone number for registered family members tied to your account, last known and saved favorite location information, currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile picture, search and destination information, reward card activity, and fraudulently redeemed reward points. The breached GM accounts did not include date of birth, Social Security number, driver’s license number, credit card 2 information, or bank account information, as that information is not stored in the GM account, GM says.
According to F5 Labs, in 2018 and 2019, the combined threats of phishing and credential stuffing made up roughly half of all publicly disclosed breaches in the United States. “Stolen credentials are so valuable that demand for them remains enormous, creating a vicious circle in which organizations suffer both network intrusions in pursuit of credentials and credential stuffing in pursuit of profits,” F5 researchers Sander Vinberg and Jarrod Overson explain.