loader gif

​State Farm customer accounts breached in credential stuffing attack

​State Farm customer accounts breached in credential stuffing attack
  • Attackers used a list of usernames and passwords obtained via credential stuffing attack to access State Farm customers’ online accounts.
  • The investigation revealed that attackers were able to confirm valid usernames and passwords for some online accounts, however, no personal information was accessed.

What is the issue?

Insurance company State Farm notified its customers that it suffered a credential stuffing attack during which attackers were able to confirm valid usernames and passwords for some customer accounts.

The big picture

On July 6, 2019, State Farm became aware that attackers used a list of usernames and passwords obtained via credential stuffing attack to access customers’ online accounts.

  • Upon discovery, the insurance company launched an investigation and determined that the attackers compromised usernames and passwords for some user accounts.
  • The investigation revealed that attackers were able to confirm valid usernames and passwords for some online accounts, however, no personal information was accessed.
  • After this, State Farm reviewed the accounts of impacted customers and confirmed that no fraudulent activity occurred.

“State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account,” State Farm said in a data breach notice.

What actions were taken?

  • State Farm has reset passwords for all impacted customer accounts in order to avoid further access attempts by the attackers.
  • The insurance company has notified the affected customers and has requested them to change their passwords for State Farm accounts as well as for other online accounts if they’ve reused the same passwords.
  • Furthermore, the company has implemented additional security controls to avoid such incidents from happening in the future.

“We have implemented additional controls and continue to evaluate our information security efforts to mitigate future attacks,” a spokesperson for State Farm told ZDNet.

Worth noting

According to the data breach notification filed with the Office of the California Attorney General, the first attempted attack on State Farm accounts occurred on July 6, 2019, followed by subsequent attacks on July 8, 12, 13, 14, 17, 19, 20, and 22.

loader gif