What is the issue?
Insurance company State Farm notified its customers that it suffered a credential stuffing attack during which attackers were able to confirm valid usernames and passwords for some customer accounts.
The big picture
On July 6, 2019, State Farm became aware that attackers used a list of usernames and passwords obtained via credential stuffing attack to access customers’ online accounts.
“State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account,” State Farm said in a data breach notice.
What actions were taken?
“We have implemented additional controls and continue to evaluate our information security efforts to mitigate future attacks,” a spokesperson for State Farm told ZDNet.
According to the data breach notification filed with the Office of the California Attorney General, the first attempted attack on State Farm accounts occurred on July 6, 2019, followed by subsequent attacks on July 8, 12, 13, 14, 17, 19, 20, and 22.