[BreachExchange] State Farm Investigates Credential-Stuffing Attack
destry at riskbasedsecurity.com
Fri Aug 9 10:25:26 EDT 2019
Insurer State Farm has been hit by a credential-stuffing attack
designed to gain access to U.S. customers' online accounts, a company
The company's security team first noticed the attack on July 6. State
Farm recently started to notify customers of the incident, according
to ZDNet, which first reported on the incident after obtaining a copy
of the company's notification letter.
Bloomington, Indiana-based State Farm is one of the largest insurance
brokers and financial services firms in the U.S. Its online services
allow customers to transfer funds and pay bills.
The State Farm spokesperson tells Information Security Media Group
that an unknown hacker attempted to gain access to online accounts by
using credentials obtained through dark net sites. The attacker was
able to confirm usernames and passwords while attempting to log into
customers' online accounts through a credential-stuffing attack, the
insurer says, but the company has not confirmed any fraudulent
"State Farm discovered a bad actor or actors attempting to gain access
to customers' online accounts using a list of user IDs and passwords
from other sources," the company spokesperson tells ISMG. "To defend
against the attack, we reset passwords for these online accounts in an
effort to prevent additional attempts by the bad actor. We have
implemented additional controls and continue to evaluate our
information security efforts to mitigate future attacks."
It's not clear how many customers were affected by the incident, and
the State Farm spokesperson did not specify how many notification
letters went out.
"We encourage customers to regularly change their passwords to a new
and unique password, use multifactor authentication whenever possible
and review all personal accounts for signs of unusual activity," the
Credential Stuffing on the Rise
Credential stuffing has emerged as one of the biggest threats to
enterprises across the world.
A 2018 report by security vendor Akamai found that companies were
reporting nearly 13 credential stuffing incidents each month in which
the attacker successfully identified valid credentials.
The report also found that many enterprises lack proper security
protocols to counter these types of attacks, which typically involve
hackers using usernames and passwords stolen in other breaches in an
attempt to attack other organizations by guessing combinations of
names and passwords. The approach is effective because so many users
reuse the same passwords for different accounts.
In May, Fast Retailing, a Japanese clothing retailer, sustained a
credential stuffing attack that exposed the details of its 460,000
online customers. That incident resulted in a hacker targeting the
company's network to access data, which included email IDs and partial
credit card numbers (see: Hack of Japanese Retailer Exposes 460,000
Customer Accounts ).
Availability of Stolen Credentials
The huge amount of stolen data that's available for use in
credential-stuffing attacks came into focus earlier this year with the
discovery of a massive collection of usernames and passwords seemingly
available to anyone looking for them.
In January, Troy Hunt, who runs the "Have I Been Pwned?" data breach
search website, discovered one of the biggest collections of breached
data, which he called Collection #1 (see: Data Breach Collection
Contains 773 Million Unique Emails).
Hunt traced the origin of the data to a number of files in MEGA, a
popular cloud-based file sharing service.
More information about the BreachExchange