General Motors has informed some users that their personal online accounts may have been compromised, giving hackers access to personal information like phone numbers, email addresses, as well as their first and last names.
The automaker said in a Notice of Data Breach that it identified some suspicious log-ins to GM online customer accounts between April 11 and April 29, 2022. The number of accounts accessed is not clear but Bloomberg cites the California Attorney General’s Office in reporting that 5,000 breach letters were sent to residents in that state.
GM indicates that through this breach, the following information may have been compromised: first and last name, personal email address, personal address, username and phone number for registered family members tied to your account, last known and saved favorite location information, your currently subscribed OnStar package, family members’ avatars and photos, profile picture, search and destination information, reward card activity, and fraudulently redeemed reward points.
Fortunately for those affected, Social Security numbers, driver’s license details, and credit card information were not compromised. The automaker also claims that users’ passwords were not obtained on GM systems but were, instead, stolen from other websites where customers might reuse their login credentials.
Ultimately, the scam appears to have been relatively simple. Hackers logged in and redeemed customer reward points for gift cards without customers’ authorization. In response, GM suspended the feature and notified affected customers about the issue. It also notified law enforcement and continues to monitor the situation.
In addition, GM has required affected customers to reset their passwords and has provided advice on how they might best protect themselves from having this happen again. These best practices include not using the same password for multiple accounts, as well as how to freeze credit cards in case further security breaches are detected.