State Farm – the largest property and casualty insurance provider in the US - has been compromised in a credential stuffing attack.
The firm acknowledged the cyberattack, filing a data breach notification with the California Attorney General, and on Wednesday, Aug. 7, it sent out “Notice of Data Breach” emails to users whose online account log-in credentials were obtained by a bad actor.
The insurer’s data breach notification email read: “State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt to access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.”
This type of cyberattack is called credential stuffing. Attackers will buy or take usernames and passwords that were leaked from other companies’ data breaches and they will try to use those credentials to log-in to other accounts and sites. It works well against people who use the same password for lots of different sites – something many people are in the habit of doing.
State Farm confirmed in its “Notice of Data Breach” email that the attacker was able to get usernames and passwords of some policyholders’ accounts, but that no personally identifiable information was viewable, and no fraud was detected, according to a Bleeping Computer report. It remains unknown if the bad actor actually logged into the accounts.
In addition to notifying impacted users, State Farm has also reset all passwords for the accounts whose credentials were breached by the hacker.
Credential stuffing attacks have been on the rise, with a number of incidents reported this year. Retailers are usually the top target for credential stuffing attacks, but criminals also continue to target companies within the financial services space, according to Aaron Zander, head of IT at HackerOne, a bug bounty and vulnerability disclosure platform provider.