State Farm – the largest property and casualty insurance provider in the US - has been compromised in a credential stuffing attack.
The firm acknowledged the cyberattack, filing a data breach notification with the California Attorney General, and on Wednesday, Aug. 7, it sent out “Notice of Data Breach” emails to users whose online account log-in credentials were obtained by a bad actor.
The insurer’s data breach notification email read: “State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt to access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.”
This type of cyberattack is called credential stuffing. Attackers will buy or take usernames and passwords that were leaked from other companies’ data breaches and they will try to use those credentials to log-in to other accounts and sites. It works well against people who use the same password for lots of different sites – something many people are in the habit of doing.
State Farm confirmed in its “Notice of Data Breach” email that the attacker was able to get usernames and passwords of some policyholders’ accounts, but that no personally identifiable information was viewable, and no fraud was detected, according to a Bleeping Computer report. It remains unknown if the bad actor actually logged into the accounts.
In addition to notifying impacted users, State Farm has also reset all passwords for the accounts whose credentials were breached by the hacker.
Credential stuffing attacks have been on the rise, with a number of incidents reported this year. Retailers are usually the top target for credential stuffing attacks, but criminals also continue to target companies within the financial services space, according to Aaron Zander, head of IT at HackerOne, a bug bounty and vulnerability disclosure platform provider.
“That password we used hundreds of times in the early 2000s has come back to haunt us,” Zander explained. “People shouldn’t reuse passwords. But people still do and criminals know this. Adopting good password practices, such as the use of password managers and multi-factor authentication and changing passwords immediately upon receiving notification that your account has been compromised, can go a long way in mitigating against credential stuffing attacks.”
“At the same time, it’s also up to companies who operate websites and applications to prevent themselves from becoming testbeds for valid credentials,” he added. “Preventing one person or one IP from submitting more than just a handful of logins or even the same one is important, both in the total amount they are trying and how fast they can submit. Using tools like captcha, email magic links, rate limiting, browser detection and generally thinking about how a login page can be abused can all contribute to removing a website from the field of play for credential testing/stuffing.”