Auto giant hit by major cyber attack

General Motors (GM) was hit by a cyber attack that prompted the company to write two data breach notifications to the affected customers.

27 May 2022

The US auto manufacturer announced that it had detected malicious login activity between 11-29 April 2022, and the credential stuffing attack has made customer information public.

Owners of Chevrolet, Buick, GMC, and Cadillac vehicles manage bills and redeem rewards points on GM’s online platform.

Correspondence from GM further revealed that the credential stuffing attack had enabled hackers to redeem rewards points for gift cards.

"We are writing to follow-up on our [DATE] email to you, advising you of a data incident involving the identification of recent redemption of your reward points that appears to be without your authorisation," GM said in a data breach notification sent to affected customers.

Malicious cyber actors carried out a "credential stuffing attack" using data obtained from a previous breach at an unrelated service with the aim of unlocking, and logging into another service.


Explore our cyber training and resources to defend against online threats to your business. Plans start from only $10/month.

"Based on the investigation to date, there is no evidence that the log in information was obtained from GM itself," GM said in one of the data breach notifications.

"We believe that unauthorised parties gained access to customer login credentials that were previously compromised on other non-GM sites and then reused those credentials on the customer’s GM account."

The hackers obtained personal information about customers that include first and last names, personal email addresses, home addresses, usernames and phone numbers. Car-related data had also been compromised and hackers had access to car mileage history, service history, emergency contacts and Wi-Fi hotspot settings (including passwords).

Hackers even uncovered details about registered family members tied to accounts, last known and saved favourite locations, family members’ avatars and photos (if uploaded), profile pictures, including search and destination information.

According to GM, the hackers had redeemed some customer reward points for gift cards.

GM advised affected customers to reset their passwords, request credit reports and freeze bank accounts if necessary. The company also confirmed all affected customers will have their stolen rewards points restored.


Train your staff to be the frontline of your defence against cyber attacks with plans starting from $10/month

Found this useful?

Subscribe to our newsletter and receive the best business tips and articles straight to your inbox.

Thank you for signing up to our newsletter. You're one step closer to receiving more insightful information to help better your business.

We take your privacy seriously and by subscribing to our newsletter you agree to the terms of our Privacy Policy available below.