General Motors, a US based automobile manufacturer, has announced that it suffered from a credential stuffing attack last month that ultimately exposed customer information. In addition, the attack allowed hackers to redeem rewards points and gain gift cards. General Motors stated that they detected the malicious activity between April 11 and 29 of this year, and released a data breach notification to its affected customers shortly thereafter. The credential stuffing attack consisted of threat actors obtaining credentials from a previous data breach and using them to log into another unrelated service.

There is no evidence thus far that the login information was obtained from GM itself nor that GM credentials were breached previously. Personal information belonging to customers exposed in the attack includes first and last names, email and home addresses, usernames, phone numbers, last known location information, profile pictures, and search information. Other potential details that might have been accessible to the attackers includes car mileage history, emergency contacts, and Wi-Fi hotspot settings. GM has advised that the affected customers reset passwords and request credit reports from their banks to ensure that banking information was not impacted and to prevent against identity theft.

Read More: US Car Giant General Motors Hit by Cyber-Attack Exposing Car Owners’ Personal Info