State Farm breach highlights threat of credential stuffing attacks

Bloomington, Ill.-based insurance and financial services firm State Farm said it suffered a credential stuffing attack in which “a bad actor” confirmed valid usernames and passwords for State Farm online accounts.

A State Farm spokesperson told ZDNet the company discovered the credential stuffing attack on July 6, 2019. The company, which filed a data breach notification with the California Attorney General, and on August 7 sent out “Notice of Data Breach” emails to affected online account users, did not reveal the number of impacted accounts.

In addition to notifying impacted users, State Farm said it reset all passwords for breached accounts.

Deepak Patel, security evangelist at PerimeterX, commented: “Credential stuffing is accomplished by hackers who take advantage of users who often reuse the same passwords across multiple online accounts.” Patel explained stolen credentials combined with personal information from previous breaches, can result in an account takeover. “The vast number of past data breaches means that the amount of credentials available on the dark web is massive.” Patel acknowledged this makes it more difficult than ever for website owners to protect against such attacks, even if their businesses were never involved in a breach. “In this case, hackers likely used automation – bots – to test permutations and combinations of credentials from the dark web until they found those that worked.” Patel added website owners must consider bot mitigation as part of their web application protection strategy to protect against the ongoing threat of ATO.

 

continue reading »