GM noticed the cyberattack between April 11, 2022 and April 29, 2022, after suspicious logins to certain GM online accounts led to unauthorized redemptions of customer reward points for gift cards.

The company disabled the redemption feature, notified customers about the attack, and then required them to change passwords.

GM says the hackers may instead have gained access only to information such as “first and last name, personal email address, personal address, username and phone number for registered family members tied to your account, last known and saved favorite location information, your currently subscribed OnStar package (if applicable), family members’ avatars and photos (if uploaded), profile picture, search and destination information, reward card activity, and fraudulently redeemed reward points.”

The company believes criminals obtained customer login data outside of GM networks and re-used it to access GM accounts.

In the notice of data breach, GM said it reported the activity to law enforcement and continues to monitor account activity to protect its customers and personal information about them.