Insurer State Farm has suffered a credential stuffing attack, first discovered on July 6, 2019 when a bad actor confirmed valid usernames and passwords for U.S. customers' online accounts. The banking and insurance giant said it reset account passwords to, and notified all, affected accounts.
Techniques like credential stuffing—breaking into accounts with reused passwords—put users at risk for complete account takeovers, which in turn opens their employer to lateral attacks. As data breaches continue to expose the account credentials of their users, credential attacks are becoming more common.
State Farm – the largest property and casualty insurance provider in the US - has been compromised in a credential stuffing attack. The firm acknowledged the cyberattack, filing a data breach notification with the California Attorney General, and on Wednesday (August 07), it sent out “Notice of Data Breach” emails to users whose online account log-in credentials were obtained by a bad actor. The insurer’s data breach notification email read: “State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt to access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.”