State Farm Falls Victim to Credential-Stuffing Attack

state farm cyber attack

The insurance giant serves at least 83 million U.S. households.

State Farm Insurance is notifying customers that accounts have been compromised by hackers in a credential-stuffing attack.

Credential-stuffing is accomplished by hackers who take advantage of users who often reuse the same passwords across multiple online accounts. The cyberattackers use stolen passwords and user names from previous data breaches to brute-force accounts on a wide scale, and when a match is found, they can take over the victim’s account.

In the notification, the insurance giant said that it reset user passwords after it “recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the Dark Web, to attempt access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.”

It also said that no sensitive information was viewable but few details have yet been made available — it’s unclear if the hacker accessed customer accounts or merely retrieved their credentials.

It’s also unclear how many customer accounts the attacker was able to access, but State Farm has reported that it services 83 million policies and accounts in the U.S.

It’s well-known that the uptick in credential spills on the criminal underground has led to increases in credential-stuffing attempts.  Dunkin’ Donuts for instance was the victim of high-profile incidents in February and last November.

“The vast number of past data breaches means that the amount of credentials available on the Dark Web is massive,” said Deepak Patel, security evangelist at PerimeterX, via email. “This makes it more difficult than ever for website owners to protect against such attacks, even if their businesses were never involved in a breach. In this case, hackers likely used automation — bots — to test permutations and combinations of credentials from the Dark Web until they found those that worked. Website owners must consider bot mitigation as part of their web application protection strategy to protect against the ongoing threat of account takeover.”

Clearly, avoiding password reuse is the best protection against these kinds of attacks. But Adam Laub, CMO at STEALTHbits Technologies, noted that encouraging good password hygiene is easier said than done – as the security community well knows.

“As already implied, unique username and password combinations are indeed the number one way to mitigate the effectiveness of credential-stuffing attacks,” he said via email. “However, the burden of creating and maintaining these unique combinations falls on the shoulders of the proverbial “weakest link” (i.e., the end user). It may be time for organizations to take matters into their own hands though. If end users can’t or won’t comply with the guidance being provided to keep their accounts safe, perhaps proactive analysis of user account passwords and forced remediation when they’re determined to be vulnerable to password guessing attacks may be the only way to address this particular attack vector. The fear for businesses is obviously end user pushback, but with stiffening regulations and fines, the cost of end user frustration would appear to be minimal in comparison with non-compliance.”

Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.

Suggested articles

Discussion

  • Brian on

    Users almost always go for the path of least resistance when it comes to creating passwords. No, I cannot use your name as part of the password. No, I am not going to make it Summer2019! The user may not care about how easy the password would be to guess in a brute force attack, but I do. And that's why I have made your password AngryCabbage25# (not an actual password that I have ever created, but you get the picture). Enforcing strong password policies may mean dealing with user kickback from time to time, but who cares? They will never understand what is best for the security of their network, so that falls on the IT provider.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.