State Farm says hackers confirmed valid usernames and passwords in credentials stuffing attack

State Farm suffered a credential stuffing attack in July and is now notifying impacted customers.
Written by Catalin Cimpanu, Contributor
State Farm

US banking and insurance giant State Farm said it suffered a credential stuffing attack during which "a bad actor" was able to confirm valid usernames and passwords for State Farm online accounts.

State Farm said it reset account passwords to all impacted accounts to prevent future abuse from the bad actor. The company is now notifying affected customers.

A State Farm spokesperson told ZDNet the company discovered the credential stuffing attack on July 6, 2019. However, the company did not respond to a direct question asking about the number of impacted accounts.

Nevertheless, State Farm said that it did not identify any fraudulent activity in the accounts that had their passwords confirmed.

The company's online accounts allow users to manage insurance claims, pay bills, or wire funds, among many other things [1, 2].

"We have implemented additional controls and continue to evaluate our information security efforts to mitigate future attacks," a State Farm spokesperson told ZDNet.

"We encourage customers to regularly change their passwords to a new and unique password, use multi-factor authentication whenever possible, and review all personal accounts for signs of unusual activity," the company added.

Banks are under a barrage of credential stuffing attacks

Credential stuffing attacks are when hackers take username and password combinations that have been made public through security breaches at other companies, and use them to gain access to accounts on other services, hoping that users had reused passwords across accounts.

These types of attacks have been growing in frequency at an alarming rate since last year. In a report published last month, Akamai said it detected over 3.5 billion credential stuffing requests aimed at financial institutions in the past 18 months.

Companies like ad blocker AdGuard, banking giant HSBC, social media site Reddit, video sharing portal DailyMotion, delivery service Deliveroo, enterprise tool Basecamp, restaurant chain Dunkin' Donuts, tax filing service TurboTax, and UK telco Sky have all publicly acknowledged being on the receiving end of credential stuffing attacks in the past year alone.

Hackers typically use credential stuffing attacks to confirm passwords for online accounts, which they later resell online, on hacking forums or on the dark web.

"Large companies see cyber security attacks on a regular basis," a State Farm told ZDNet. "We take the security of all customer information seriously, and we regularly monitor our networks and test the strength of our security to remain vigilant against increasingly sophisticated cyber security threats. Incidents like this remind us we all must continue to exercise diligence to protect our personal information."

Best Android smartphones (July 2019)

More data breach coverage:

Editorial standards