In May 2022, General Motors disclosed that customer accounts on its online platform had been compromised through credential stuffing attacks that occurred between April 11 and April 29, 2022. The attackers used previously leaked username-password combinations from other data breaches to log into GM customer accounts, access personal information, and in some cases redeem or transfer reward points.
The attack was not a breach of GM's systems. It was a breach of GM's customers' habits — specifically, the habit of reusing passwords across multiple services.
How Credential Stuffing Works
Credential stuffing is straightforward in concept:
- An attacker obtains a list of username-password pairs from a previous data breach. Billions of these credentials are available on the dark web from breaches of LinkedIn, Adobe, Yahoo, and countless other services.
- The attacker uses automated tools to try these credentials against a target service — in this case, GM's online platform.
- Because many people reuse the same password across multiple services, a percentage of the stolen credentials will work on the target service.
- The attacker gains access to all accounts where the credentials were valid.
The success rate for credential stuffing is typically low — often less than 1% — but when you can test millions of credentials automatically, even a fraction of a percent yields thousands of compromised accounts.
What Was Exposed and Stolen
The compromised GM accounts contained:
- First and last names
- Personal email addresses
- Home addresses
- Usernames and phone numbers for registered family members
- Last known and saved favorite location data
- Currently subscribed OnStar package (if applicable)
- Family member avatars and photos
- Profile pictures
- Search and destination information
More critically, the attackers were able to redeem GM reward points. These loyalty points can be applied toward vehicle purchases, parts, and services. Some customers reported that their reward points — accumulated over years of vehicle purchases and service visits — had been fraudulently transferred or redeemed.
GM stated that the accounts did not contain Social Security numbers, credit card numbers, or bank account information. However, the combination of personal details exposed could enable further social engineering attacks.
The Credential Stuffing Epidemic
GM is far from alone. Credential stuffing is one of the most common attack techniques, and virtually every organization with an online login page is targeted:
- The North Face — 200,000 accounts compromised via credential stuffing in 2022
- Roku — 15,000 accounts compromised in January 2024, followed by 576,000 more in March 2024
- PayPal — 35,000 accounts compromised via credential stuffing in December 2022
- Norton LifeLock — approximately 925,000 accounts targeted in credential stuffing attacks in late 2022
The common thread: these are not vulnerabilities in the target platforms. They are a direct consequence of users reusing passwords, combined with the availability of billions of leaked credentials.
Why Detection Is Challenging
Credential stuffing is difficult to detect because each individual login attempt looks legitimate. The attacker is using real usernames and real passwords. The challenge is distinguishing between:
- A real customer logging in from a new device
- An attacker trying a stolen credential
Signals that can help detection include:
Login velocity. Credential stuffing generates high volumes of login attempts in a short period. Rate limiting and CAPTCHA challenges triggered by unusual login volumes can slow attackers.
Geographic anomalies. If a customer's account is typically accessed from Michigan but suddenly logs in from Eastern Europe, that is suspicious. However, VPNs and residential proxies can obscure the attacker's true location.
Device fingerprinting. Tracking device characteristics (browser, operating system, screen resolution, installed fonts) can help identify automated tools masquerading as legitimate browsers.
Login failure patterns. Credential stuffing generates a high failure rate interspersed with occasional successes. Monitoring the ratio of failed to successful logins across the platform can indicate an ongoing attack.
Behavioral analysis after login. Even after a successful credential stuffing login, the attacker's behavior differs from the legitimate user's. Immediate navigation to reward point redemption, address changes, or data export should trigger additional verification.
The Defense That Works
The most effective defense against credential stuffing is also the simplest: make stolen passwords useless.
Multi-factor authentication (MFA) stops credential stuffing cold. Even if the attacker has the correct password, they cannot complete login without the second factor. GM offered MFA but did not require it for all accounts.
Passwordless authentication eliminates the password entirely, using biometrics, security keys, or magic links instead. No password means nothing to stuff.
Breached password detection checks new and existing passwords against known breach databases (like Have I Been Pwned) and forces changes when a match is found.
Adaptive authentication adjusts security requirements based on risk signals — requiring MFA for logins from new devices, unusual locations, or during detected credential stuffing campaigns.
The fundamental truth: as long as passwords exist and people reuse them, credential stuffing will work. The only reliable defense is to make passwords insufficient for access.
How Safeguard.sh Helps
Safeguard.sh monitors for credential exposure across known breach databases and alerts organizations when employee or customer credentials appear in new data dumps. Our platform enforces authentication policies that require MFA for sensitive systems and flags accounts using passwords found in breach databases. By providing continuous visibility into credential exposure and enforcing policies that reduce the effectiveness of credential stuffing, Safeguard.sh helps organizations protect their users from the consequences of password reuse — even when those passwords were compromised elsewhere.