Security News > 2022 > May > Vehicle owner data exposed in GM credential stuffing attack

Car manufacturer General Motors has confirmed the credential stuffing attack it suffered last month exposed customers' names, personal email addresses, and destination data, as well as usernames and phone numbers for family members tied to customer accounts.

Other more personal information, including social security and credit card and bank account numbers, as well as drivers license data are not stored in customers' GM accounts and were not laid bare, GM officials said in a letter [PDF] sent to customers this month.

If successful, the attackers can use the credentials for myriad activities, such as using credit card data to make purchases, stealing gift cards saved on the customer's account, using the information for phishing attacks or selling the login information and personal data to other bad actors.

News about the GM attack comes the same week that online wedding planning site Zola admitted that it, too, was the victim of a credential stuffing attack, with some customers complaining that bank accounts linked to the site were used to buy gift cards.

Credential stuffing attacks have added more fuel to the demand that companies move past passwords as the primary user authentication method for securing online accounts, with critics saying they are too easy to break and leave sensitive customer data vulnerable to being exposed and stolen.

Uriel Maimon, vice president of emerging products at cybersecurity vendor PerimeterX, told The Register in an email that the attacks on GM and Zola show that credential stuffing attacks "Continue to fuel the web attack lifecycle, potentially using these stolen user credentials on other e-commerce sites. We can expect that these credentials will soon be tested on other apps that we use daily to power our lives."

News URL

https://go.theregister.com/feed/www.theregister.com/2022/05/25/gm-credential-stuffing-attack/