State Farm Investigates Credential-Stuffing AttackNot Yet Clear How Many Customers May Have Been Affected
Insurer State Farm has been hit by a credential-stuffing attack designed to gain access to U.S. customers’ online accounts, a company spokesperson confirms.
The company's security team first noticed the attack on July 6. State Farm recently started to notify customers of the incident, according to ZDNet, which first reported on the incident after obtaining a copy of the company’s notification letter.
Bloomington, Illinois-based State Farm is one of the largest insurance brokers and financial services firms in the U.S. Its online services allow customers to transfer funds and pay bills.
The State Farm spokesperson tells Information Security Media Group that an unknown hacker attempted to gain access to online accounts by using credentials obtained through dark net sites.
And while the unknown attacker was able to confirm usernames and passwords while attempting to log into customers' online accounts through a credential-stuffing attack, there has been no confirmation of any fraudulent activities.
"State Farm discovered a bad actor or actors attempting to gain access to customers’ online accounts using a list of user IDs and passwords from other sources," the company spokesperson tells ISMG. "To defend against the attack, we reset passwords for these online accounts in an effort to prevent additional attempts by the bad actor. We have implemented additional controls and continue to evaluate our information security efforts to mitigate future attacks."
It's not clear how many customers were affected by the incident, and the State Farm spokesperson did not specify how many notification letters went out.
"We encourage customers to regularly change their passwords to a new and unique password, use multifactor authentication whenever possible and review all personal accounts for signs of unusual activity," the spokesperson says.
Credential Stuffing on the Rise
Credential stuffing has emerged as one of the biggest threats to enterprises across the world.
A 2018 report by security vendor Akamai found that companies were reporting nearly 13 credential stuffing incidents each month in which the attacker successfully identified valid credentials.
The report also found that many enterprises lack proper security protocols to counter these types of attacks, which typically involve hackers using usernames and passwords stolen in other breaches in an attempt to attack other organizations by guessing combinations of names and passwords. The approach is effective because so many users reuse the same passwords for different accounts.
In May, Fast Retailing, a Japanese clothing retailer, sustained a credential stuffing attack that exposed the details of its 460,000 online customers. That incident resulted in a hacker targeting the company's network to access data, which included email IDs and partial credit card numbers (see: Hack of Japanese Retailer Exposes 460,000 Customer Accounts ).
Availability of Stolen Credentials
The huge amount of stolen data that’s available for use in credential-stuffing attacks came into focus earlier this year with the discovery of a massive collection of usernames and passwords seemingly available to anyone looking for them.
In January, Troy Hunt, who runs the "Have I Been Pwned?" data breach search website, discovered one of the biggest collections of breached data, which he called Collection #1 (see: Data Breach Collection Contains 773 Million Unique Emails).
Hunt traced the origin of the data to a number of files in MEGA, a popular cloud-based file sharing service.