teamzr1
Supporting vendor
May 2022 - General Motors itself suffered a hack that exposed a significant amount of sensitive personal information on car owners names, addresses, phone numbers, locations, car mileage, and maintenance history.
The Detroit-based automaker revealed details of the incident in a breach disclosure ( see attached PDF below) filed with the California Attorney General’s Office not until May 16.
The disclosure explains that malicious login activity was detected on an unspecified number of GM online user accounts between April 11 and 29.
Further investigation revealed that the company had also been hit with a credential stuffing attack, which saw hackers infiltrate user accounts to steal customer reward points, which they then redeemed for gift cards. Credential stuffing is a rudimentary type of cyberattack that involves using lists of previously compromised login credentials to hack into online accounts. Such lists can be purchased with relative ease on the dark web.
We took swift action in response to the suspicious activity by suspending gift card redemption and notifying affected customers of these issues.
We also took steps to require those customers to reset their passwords at their next log in, and we reported this incident to law enforcement,” the company says. Customers whose reward points had been abused were subsequently replenished with new reward points, the company added.
In addition to the reward points theft, the incident also exposed a significant amount of user information.
GM’s breach notification lays out a full list of the information that may have been compromised by the hackers:
• first and last name
• personal email address
• home address
• username
• phone number
• last known and saved favorite location
• OnStar package (if applicable)
• family members’ avatars and photos
• profile picture
• search and destination information
• reward card activity
• fraudulently redeemed reward points
It’s unclear exactly how many customers were affected by this breach, though we know it’s more than 500 in California alone. California law requires that companies file public breach notifications to the OAG in cases where the number of state residents affected by the incident until is greater than 500 people.
But this is nothing new as GM and other nameplates have been hacked over and over again over last 10 years
In GM’s vehicles is no better as Onstar which is a spy to vehicles & their owners also opened the vehicles network to countless crooks
A pair of security researchers showed they could hack a Jeep over the Internet earlier this summer to hijack its brakes and transmission, the impact was swift and explosive: Chrysler issued a software fix before the research was even made public.
The National Highway Traffic and Safety Administration launched an investigation. Within days Chrysler issued a 1.4 million vehicle recall.
But when another group of researchers quietly pulled off that same automotive magic trick five years earlier, their work was answered with exactly none of those reactions.
That’s in part because the prior group of car hackers, researchers at the University of California at San Diego and the University of Washington, chose not to publicly name the make and model of the vehicle they tested, which has since been revealed to be General Motors’ 2009 Chevy Impala.
They also discreetly shared their exploit code only with GM itself rather than publish it.
The result, WIRED has learned, is that GM took nearly five years to fully protect its vehicles from the hacking technique, which the researchers privately disclosed to the auto giant and to the National Highway Traffic Safety Administration in the spring of 2010.
For nearly half a decade, millions of GM cars and trucks were vulnerable to that privately known attack, a remote exploit that targeted its OnStar dashboard computer and was capable of everything from tracking vehicles to engaging their brakes at high speed to disabling brakes altogether.
The Detroit-based automaker revealed details of the incident in a breach disclosure ( see attached PDF below) filed with the California Attorney General’s Office not until May 16.
The disclosure explains that malicious login activity was detected on an unspecified number of GM online user accounts between April 11 and 29.
Further investigation revealed that the company had also been hit with a credential stuffing attack, which saw hackers infiltrate user accounts to steal customer reward points, which they then redeemed for gift cards. Credential stuffing is a rudimentary type of cyberattack that involves using lists of previously compromised login credentials to hack into online accounts. Such lists can be purchased with relative ease on the dark web.
We took swift action in response to the suspicious activity by suspending gift card redemption and notifying affected customers of these issues.
We also took steps to require those customers to reset their passwords at their next log in, and we reported this incident to law enforcement,” the company says. Customers whose reward points had been abused were subsequently replenished with new reward points, the company added.
In addition to the reward points theft, the incident also exposed a significant amount of user information.
GM’s breach notification lays out a full list of the information that may have been compromised by the hackers:
• first and last name
• personal email address
• home address
• username
• phone number
• last known and saved favorite location
• OnStar package (if applicable)
• family members’ avatars and photos
• profile picture
• search and destination information
• reward card activity
• fraudulently redeemed reward points
It’s unclear exactly how many customers were affected by this breach, though we know it’s more than 500 in California alone. California law requires that companies file public breach notifications to the OAG in cases where the number of state residents affected by the incident until is greater than 500 people.
But this is nothing new as GM and other nameplates have been hacked over and over again over last 10 years
In GM’s vehicles is no better as Onstar which is a spy to vehicles & their owners also opened the vehicles network to countless crooks
A pair of security researchers showed they could hack a Jeep over the Internet earlier this summer to hijack its brakes and transmission, the impact was swift and explosive: Chrysler issued a software fix before the research was even made public.
The National Highway Traffic and Safety Administration launched an investigation. Within days Chrysler issued a 1.4 million vehicle recall.
But when another group of researchers quietly pulled off that same automotive magic trick five years earlier, their work was answered with exactly none of those reactions.
That’s in part because the prior group of car hackers, researchers at the University of California at San Diego and the University of Washington, chose not to publicly name the make and model of the vehicle they tested, which has since been revealed to be General Motors’ 2009 Chevy Impala.
They also discreetly shared their exploit code only with GM itself rather than publish it.
The result, WIRED has learned, is that GM took nearly five years to fully protect its vehicles from the hacking technique, which the researchers privately disclosed to the auto giant and to the National Highway Traffic Safety Administration in the spring of 2010.
For nearly half a decade, millions of GM cars and trucks were vulnerable to that privately known attack, a remote exploit that targeted its OnStar dashboard computer and was capable of everything from tracking vehicles to engaging their brakes at high speed to disabling brakes altogether.