GM, Zola customer accounts compromised through credential stuffing

Customers of automaker General Motors (GM) and wedding planning company Zola have had customer accounts compromised through credential stuffing, and the criminals have used the access to redeem gift cards.

What is credential stuffing?

Credential stuffing is a type of attack aimed at hijacking accounts.

The attackers test username/password combinations stolen in previous hacks (or bought from other attackers) on other online services. Since too many users repeat the same combinations across many services and many services don’t provide additional security protections (a.g., multi-factor authentication), hijacking accounts in this way is made easy – and happens often.

The GM credential stuffing attack

The notice of data breach sent out by US car manufacturer General Motors to affected users says that they “identified some suspicious log ins to certain GM online customer accounts and identified recent redemption of customer reward points for gift cards that may have been performed without the customers’ authorizations” between April 11 and April 29, 2022.

After a more thorough investigation, it seems that the credentials haven’t been compromised by attackers breaching GM. Instead, they blame password reuse and credential stuffing for the breach.

The company says that attackers has access to all the information contained in those accounts: customer first and last name, personal email address, personal address, username and phone number for registered family members tied to their account, last known and saved favorite location information, their currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile picture, search and destination information, reward card activity, and fraudulently redeemed reward points.

Since the accounts don’t include information such as date of birth, Social Security number, driver’s license number, credit card or bank account information, the immediate damage effected by attackers was limited to using reward points to redeem gift gards.

The company did not share how many accounts had been compromised, but they primised to restore the reward points and have urged affected customers to reset their password, chose a better, unique one, and to do the same on other accounts where they used the same compromised username/password combination.

Zola got hit, too

Earlier this week, popular wedding planning website Zola confirmed that some user accounts have been hacked over the weekend and the linked bank accounts used to buy gift cards.

In a more recent update on the situation, Zola said that their site and mobile apps were hit with credential stuffing attempts and that “fewer than 0.1% of all Zola couples were impacted.”

They also said that credit card and bank information – both of customers and their guests – was never exposed, and that all fraudulent cash transfers were blocked and 100% of fraudulent orders will be refunded.

The company has forced a password reset on all users and not just the one who had their accounts compromised.

Protections against credential stuffing

Users should use unique username/email and password combinations for each online service, but they often don’t.

Tom Van de Wiele, Principal Security Consultant, Cyber Security Services at WithSecure, notes that passwords can be hard to remember if online services do not offer the option to allow for passphrases or the option to copy/paste a passphrase from a password manager.

“The consequence is that a lot of customers of online services will re-use passwords they have already used in the past for the sake of convenience,” he added.

Users should consider using a password manager so that they can use unique passphrases for each service, he advises, as this will limit the impact of a password breach. They should also enable multi-factor authentication (if there is an option to do so).

“This would force the attacker to target individuals with a phishing campaign in order to attempt bypassing multi-factor authentication, which takes time and is a lot more expensive, which might take away the incentive for a lot of attackers,” he explained.

“Unfortunately, not all attackers will be deterred by this, so keep an eye on your e-mail inbox to make sure you know when someone is logging onto your online accounts. If you are in doubt that someone might have obtained your password or passphrase, change it preemptively to something new. And of course, make sure you guard your master passphrase and have a recovery code backed up in a secure physical location.”

But business should also do their best to safeguard information and secure accounts, and not simply blame customers for their passwords being obtained elsewhere.

They should offer users the option to use multi-factor authentication, and should secure all the customer information they have – including passwords – by encrypting it. They should also implement additional protections that can spot suspicious login attempts based on a combination of various signals.