The American group of insurance and financial services companies State Farm revealed that it was the victim of a credential stuffing attack it has suffered in July. The insurance firm is notifying the impacted customers, but it did not disclose the number of affected users.
Accessing an online account, users could make several actions, such as manage insurance claims and pay bills.
Credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.
“State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.” reads a “Notice of Data Breach” sent to users impacted and shared by
In response to the attacks, State Farm reset the passwords for impacted accounts.
According to State Farm, attackers were able to confirm the username and passwords of impacted users, but no personal information was compromised. The good news is that the company is not aware of fraudulent activity associated with confirmed credentials.
The company filed a data breach notification with the Office of the California Attorney General, the document reads that the first attack was detected on Saturday, July 6, 2019, other attacks were observed until July 22, 2019.
Credential stuffing attacks are very frequent in the threat landscape, according to a report published by Akamai in September 2018, the credential stuffing attacks are a growing threat and often underestimated.
The experts detected 8.3 Billion malicious login attempts from bots in May and June, an overall number of 30 billion malicious logins were observed between November 2017 and June 2018, an average of 3.75 billion per month.
In 2019, another analysis published by Akamai reported that 28 billion credential stuffing attempts were detected in the second half of 2018.
(SecurityAffairs – State Farm, Credential Stuffing)