GM has alerted customers of a data breach as a result of a credential stuffing attack last month which exposed some customers’ PI and allowed hackers to redeem GM reward points for gift cards. In a data breach notification sent to affected customers, GM stated that they will be restoring points for all customers affected by this breach. These breaches were caused by a wave of credential stuffing attacks targeting customers on their platform.
I have a trio of comments on this. The first is from Domnick Eger, Field CTO of Anjuna Security:
“With the ever-growing issues with PII being leaked by third-party sites, Credential stuffing is not an isolated problem; the data being leaked is being used on other sites, and in this case, GM was the target. This problem will continue as long as companies ignore the three most critical security models, including in-use, at-rest, and in-transit. Companies must focus on limiting the attack surface to avoid situations like this and most importantly, protect their customer data.”
The second is from Christopher Prewitt, Chief Technology Officer of MRK Technologies:
In web application with basic security measures in place, brute force attacks are likely to fail, while credential stuffing attacks can often succeed. The reason is that even if you enforce strong passwords, users may share that password across services, leading to a compromise. This is why developers should look to utilize CAPTCHA, rate-limit login attempts, and multi-factor authentication to prevent these types of attacks. In this case, this website isn’t critical to GMs core mission, however all web properties should be protected from basic attacks.
Finally, I have a comment from Matt Carpenter, Principal at GRIMM:
Credential Stuffing is only effective because users regularly break best-practice password rules; specifically, they reuse passwords between different sites (and let’s not talk about password longevity and guessability). I’m not condemning the reader (do you feel guilty?), I’ve been guilty of this as well, but that doesn’t take away the real risk of doing so.
Websites have been hacked and credentials stolen and posted, often first on the dark web and later in more public forums. Sometimes exceedingly large websites have been hacked (Facebook, TJX, Netflix, LinkedIn, etc….). In 2020, even a site that tracked stolen credentials was hacked to capture billions of credentials. (https://siliconangle.com/2020/11/04/billions-stolen-credentials-defunct-breach-index-site-leaked-online/)
These stolen credentials don’t just disappear. Google Chrome checks to see if passwords you have saved within Chrome have shown up in public forums, and Chrome relentlessly encourages you to change them.
One of the more harmless but initially troubling attacks these credentials have been used for is blackmail emails. You may recognize variants of “Hello, I’m a hacker, and this is your username and password: <real stolen password>. I’ve hacked your account and installed a trojan that has recorded you visiting porn sites; send me bitcoin, or I’ll share this video with <blah blah blah>.” The attacker most likely hasn’t done anything with your username/email and password except scare you into giving them money.
But of course, these stolen credentials can often be used more like a stolen credit card: to impersonate the owner of the stolen credentials and make use of whatever they provide the attacker. That’s what’s happened here.
Kudos to GM for identifying this activity and taking action on it. I don’t know when the emails notified consumers, but the letters were dated two and a half weeks after April 29th. Of course, the sooner consumers can be notified, the better, but GM “stopped the bleeding” by disabling the exploited feature, and they promised to restore any stolen credit (even though GM still had to pay out for the breach).
I’m basing some of my opinions on their letter, but it sounds like they handled this situation exceedingly well.
Passwords are dead. Long live passwords. While we still use passwords with sites that don’t use Multi Factor Authentication (like DUO or out-of-band communication like phone calls and emails/texting), I recommend using a password manager and keeping different passwords for each site.
GM requires affected users to reset their passwords before logging in to their accounts again. So if that’s you, I would make your password strong and unique to the site.
UPDATE: Lucas Budman, CEO of TruU had this to say:
As long as we are still relying on the use of a password as an identification and security means, we will continue to see these types of attacks. Yes, second factors like email, SMS, or mobile apps can add a degree of security, but these are all bypassable, too. It is time for the world to move forward and adopt passwordless technology.
Like this:
Like Loading...
Related
This entry was posted on May 24, 2022 at 12:50 pm and is filed under Commentary with tags GM, Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
GM Pwned By Hackers…. Who Then Fraudulently Obtained Gift Cards
GM has alerted customers of a data breach as a result of a credential stuffing attack last month which exposed some customers’ PI and allowed hackers to redeem GM reward points for gift cards. In a data breach notification sent to affected customers, GM stated that they will be restoring points for all customers affected by this breach. These breaches were caused by a wave of credential stuffing attacks targeting customers on their platform.
I have a trio of comments on this. The first is from Domnick Eger, Field CTO of Anjuna Security:
“With the ever-growing issues with PII being leaked by third-party sites, Credential stuffing is not an isolated problem; the data being leaked is being used on other sites, and in this case, GM was the target. This problem will continue as long as companies ignore the three most critical security models, including in-use, at-rest, and in-transit. Companies must focus on limiting the attack surface to avoid situations like this and most importantly, protect their customer data.”
The second is from Christopher Prewitt, Chief Technology Officer of MRK Technologies:
In web application with basic security measures in place, brute force attacks are likely to fail, while credential stuffing attacks can often succeed. The reason is that even if you enforce strong passwords, users may share that password across services, leading to a compromise. This is why developers should look to utilize CAPTCHA, rate-limit login attempts, and multi-factor authentication to prevent these types of attacks. In this case, this website isn’t critical to GMs core mission, however all web properties should be protected from basic attacks.
Finally, I have a comment from Matt Carpenter, Principal at GRIMM:
Credential Stuffing is only effective because users regularly break best-practice password rules; specifically, they reuse passwords between different sites (and let’s not talk about password longevity and guessability). I’m not condemning the reader (do you feel guilty?), I’ve been guilty of this as well, but that doesn’t take away the real risk of doing so.
Websites have been hacked and credentials stolen and posted, often first on the dark web and later in more public forums. Sometimes exceedingly large websites have been hacked (Facebook, TJX, Netflix, LinkedIn, etc….). In 2020, even a site that tracked stolen credentials was hacked to capture billions of credentials. (https://siliconangle.com/2020/11/04/billions-stolen-credentials-defunct-breach-index-site-leaked-online/)
These stolen credentials don’t just disappear. Google Chrome checks to see if passwords you have saved within Chrome have shown up in public forums, and Chrome relentlessly encourages you to change them.
One of the more harmless but initially troubling attacks these credentials have been used for is blackmail emails. You may recognize variants of “Hello, I’m a hacker, and this is your username and password: <real stolen password>. I’ve hacked your account and installed a trojan that has recorded you visiting porn sites; send me bitcoin, or I’ll share this video with <blah blah blah>.” The attacker most likely hasn’t done anything with your username/email and password except scare you into giving them money.
But of course, these stolen credentials can often be used more like a stolen credit card: to impersonate the owner of the stolen credentials and make use of whatever they provide the attacker. That’s what’s happened here.
Kudos to GM for identifying this activity and taking action on it. I don’t know when the emails notified consumers, but the letters were dated two and a half weeks after April 29th. Of course, the sooner consumers can be notified, the better, but GM “stopped the bleeding” by disabling the exploited feature, and they promised to restore any stolen credit (even though GM still had to pay out for the breach).
I’m basing some of my opinions on their letter, but it sounds like they handled this situation exceedingly well.
Passwords are dead. Long live passwords. While we still use passwords with sites that don’t use Multi Factor Authentication (like DUO or out-of-band communication like phone calls and emails/texting), I recommend using a password manager and keeping different passwords for each site.
GM requires affected users to reset their passwords before logging in to their accounts again. So if that’s you, I would make your password strong and unique to the site.
UPDATE: Lucas Budman, CEO of TruU had this to say:
As long as we are still relying on the use of a password as an identification and security means, we will continue to see these types of attacks. Yes, second factors like email, SMS, or mobile apps can add a degree of security, but these are all bypassable, too. It is time for the world to move forward and adopt passwordless technology.
Share this:
Like this:
Related
This entry was posted on May 24, 2022 at 12:50 pm and is filed under Commentary with tags GM, Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.