General Motors has informed some users that their personal online accounts may have been compromised, giving hackers access to personal information such as phone numbers, email addresses, as well as their first and last names.
The automaker said in a data breach notice that it had identified some suspicious logins to GM online customer accounts between April 11 and April 29, 2022. The number of accounts accessed is unclear, but Bloomberg reports from California’s attorney general’s office that 5,000 infringement letters were sent to residents of that state.
GM indicates that through this breach, the following information has been compromised: name and last name, personal email address, personal address, username and phone number of registered family members attached to your account, latest known and saved favorite location information, your current Subscribed OnStar packages, avatars and photos of family members, profile pictures, search and destination information, reward card activity, and fraudulently redeemed reward points.
Read more: Hacker finds old Tesla infotainment system hits eBay with personal user data
Fortunately for the victims, social security numbers, driver’s license details and credit card information were not compromised. Automaker further claims that users’ passwords were not retrieved from the GM system but instead, were stolen from other websites where customers could reuse their login credentials.
In the end, the scandal seems relatively simple. Hackers logged in and redeemed customer reward points for gift cards without customer approval. In response, GM suspended the feature and notified affected customers about the problem. It has also notified law enforcement and is monitoring the situation.
In addition, GM has forced affected customers to reset their passwords and advised them on how to protect themselves from this happening again. These best practices include not using the same password for multiple accounts, as well as how to freeze credit cards in case of further security breaches.