American automaker General Motors (GM) disclosed that it suffered a credential stuffing attack in April 2022.

According to a data breach notification filed with California’s Attorney General, the attackers accessed customers’ personally identifiable information (PII) and redeemed reward points for gift cards.

The company also clarified that the attack did not expose customers’ financial information such as credit card and social security numbers, bank account information, driver’s license numbers, and birth dates.

General Motors detected malicious login activity to customers’ accounts between April 11 and April 29.