How Cyberattackers Took GM for a Ride

General Motors (GM) recently announced that it had suffered a cyberattack in April 2022 that exposed some customers’ information and allowed hackers to redeem reward points in exchange for gift cards. But unlike other high profile breaches, this one wasn’t actually caused by GM getting hacked. Instead, GM was the victim of a credential stuffing attack.

Wait, what is credential stuffing?

Credential stuffing attacks are when cybercriminals use stolen credentials from a previous data breach to gain access to user accounts. Since 66% of people reuse passwords, it’s likely that the credentials stolen from a previous data breach on Site A will work to access an account on Site B — in this case the GM site. Attackers know that passwords are often reused, so they use bots to rapidly test stolen credentials across popular sites. If the bots successfully login, they have a winner!

Once fraudsters identify a valid username and password pair, they can use the credentials to log into — and take over — legitimate accounts. Because the credentials are accurate, there’s a good chance they will get into the accounts without any problems. And since most websites don’t have security checks post-login, the fraudster is free to navigate through and abuse the account, no questions asked.

According to the 2022 Verizon Data Breach Investigations Report (DBIR), there are four key entry points to your digital estate. Credentials are the clear number one, accounting for more breaches than the other three — phishing, exploiting vulnerabilities and botnets — combined. In fact, 67% of basic web application attacks last year involved the use of stolen credentials.

Back to GM

This is precisely what happened at GM. According to the company, “There is no evidence that the login information was obtained from GM itself. We believe that unauthorized (Read more...)