A California law requires companies to disclose if more than 500 state residents are affected by data breaches. GM filed a similar notice in the California Attorney General’s Office on May 16, stating that it had discovered malicious activity in GM user accounts between April 11 and 29. IT guru First Compulsory Disclosure Report. The law does not require companies to disclose how many people were affected, though, so we know at the moment that the number has exceeded 500.
The automaker says the hack did not break into the GM system. Instead, we are told that the accounts have been targeted by a tactic known as certificate stuffing, when hackers receive login credentials that have been used elsewhere for breach and try new locations. In this case, the hackers enter the customer’s account using the old credentials, then steal the customer’s reward points and redeem them for the gift card.
According to Gizmodo, Thieves did not find important personal or financial information such as birthdays, social security numbers, driver’s licenses and credit card numbers or bank information. The carmaker says such data is not stored in the owner’s GM account.
But thieves have found loads of other information that some black hat groups will surely try to pair with some other list of stolen information. The compromised data points are: FFirst and last name, username, phone number, home address, Email address, profile picture and avatar and photo, search and destination history, latest known location, favorite location, reward point, and applicable Onster package.
A GM statement said, “We have taken prompt action in response to suspicious activity by suspending gift card redemption and notifying affected customers of these issues. This is a matter for law enforcement. ” And GM has replaced reward points for every customer whose points have been stolen.