Automobiles aren't just engines and tires anymore. They're basically rolling computers, and like any computer, they get targeted by people who want your data. Back in April 2022, General Motors (GM) found itself in the middle of a messy security incident that left thousands of Chevy, Cadillac, Buick, and GMC owners wondering if their cars—and their identities—were still safe.
It wasn't a "The Italian Job" style movie hack where cars started driving themselves off piers. Honestly, it was much more mundane but arguably more annoying for the average person just trying to manage their OnStar subscription.
🔗 Read more: Why Every Drawing of a Black Hole is Basically a Lie (And How to Fix It)
The 2022 GM Data Breach: Not a "Hack" in the Traditional Sense
Here is the thing about the 2022 incident: GM’s internal servers didn’t actually get breached. You've probably heard the term credential stuffing before. If not, it's essentially when bad actors take huge lists of usernames and passwords leaked from other websites (think old LinkedIn or MyFitnessPal leaks) and use bots to "stuff" them into GM’s login page.
They’re betting on the fact that you use the same password for your "CoolCat2015" email as you do for your My GM rewards account. Often, they’re right.
Between April 11 and April 29, 2022, these bots hit GM’s systems hard. They weren't looking for engine specs. They wanted the digital wallet. Once they got in, they started draining My GM Rewards points and swapping them for gift cards. It’s a classic digital heist—fast, automated, and hard to track until the bill comes due.
What Was Actually Exposed?
When these attackers successfully "stuffed" a login, they didn't just see a points balance. They had a front-row seat to a surprising amount of personal info stored in the owner portal. According to the breach notification filed with the California Attorney General, the data exposed included:
- Full names and personal email addresses.
- Physical home addresses and phone numbers.
- Last known and saved favorite locations (this is the creepy part).
- OnStar package details and family member information.
- Car mileage, service history, and even Wi-Fi hotspot passwords.
Thankfully, GM doesn't store Social Security numbers or full credit card digits in these specific accounts. So, while your "Home" address might have been seen, your bank account wasn't directly emptied.
Why This Attack Still Matters in 2026
You might think 2022 is ancient history in tech years. It's not. This specific attack highlighted a massive hole in automotive security: the lack of Multi-Factor Authentication (MFA). At the time of the attack, GM’s customer portal didn't even offer the option to use a secondary code from your phone.
It was a wide-open door for anyone with a leaked password list.
Since then, the conversation has shifted from "Did they steal my points?" to "What is the car company doing with my data?" Just this month, in January 2026, the FTC finalized a massive order against General Motors regarding how they handled driver data through OnStar. While the 2022 attack was about thieves taking data, the 2026 headlines are about the company allegedly selling it to insurance companies without clear consent.
The two issues are linked by one common thread: your car knows way too much about you.
🔗 Read more: Why Plug and Play Still Matters (and What it Actually Means for Your Tech)
The Reality of Car Tech Security
When you save your "Work" address or "Grandma's House" in your vehicle’s navigation, that data lives in the cloud. If an attacker gets your password via a credential stuffing attack, they know exactly where you spend your time.
GM did eventually "stop the bleeding." They forced password resets for everyone affected and promised to restore the stolen rewards points. They also advised people to keep a close eye on their credit reports.
But the lesson here is bigger than one company. The automotive industry is playing catch-up with Silicon Valley. For decades, car companies focused on crash test ratings and torque. Now, they have to worry about SQL injections and botnets. It's a steep learning curve.
Actionable Steps to Lock Down Your Vehicle Account
If you own a GM vehicle—or any modern car with an app—don't wait for the next "suspicious activity" email to land in your inbox.
✨ Don't miss: How Can I Rotate a Video: The Quickest Ways to Fix Your Vertical Footage Nightmares
- Change that password now. If you’re using the same password for your car app that you use for your grocery delivery, you’re asking for trouble. Use a unique, long passphrase.
- Turn on MFA if it's available. Most manufacturers have finally added this. It’s a slight pain to enter a code, but it's better than someone redeeming your $500 in service points for Amazon gift cards.
- Clear your "Favorites" periodically. Do you really need your home address saved in the cloud-synced nav system? Maybe. But if you don't, delete it.
- Check your OnStar/Connected Services settings. Look for "Smart Driver" or similar data-sharing programs. If you're not comfortable with your braking and acceleration data being tracked, opt-out.
- Audit your Wi-Fi settings. If your car has a built-in hotspot, make sure the password isn't something generic like the VIN or "Chevy123."
Security is a moving target. The 2022 GM incident was a wake-up call that car accounts are valuable targets. Whether it's hackers looking for gift cards or corporations looking for insurance leads, your vehicle's data is the new gold rush. Stay skeptical.