State Farm, a behemoth in the banking and insurance business in the United States became a victim of massive credential stuffing attack. It is a form of cyber attack where usernames and passwords from a breached system are injected by bots against a website. With hopes that some stolen user credentials will be successful in authenticating with the target site, this time around, against State Farm. The company confirmed that some login attempts were successful, hence a forced password reset has been enforced in order to secure their users’ data.
This information is shared to all affected customers through an email, with a copy of it uploaded in a scribd.com page. State Farm’s Office of Privacy, represented by its manager Kelley Bott has expressed regret regarding the incident and opened the phone line (1-800-STATEFARM) of the company for those who have further questions and clarifications to make.
“During the attempted access, the bad actor received confirmation of a valid user name and password for your account. No sensitive personal information was viewable. After a review of your online account, we have also confirmed that no fraudulent activity occurred,” explained Kelly Bott. The company expects that more attempts of credential stuffing will continue for the foreseeable future, hence a forced password reset needs to happen. Another issue is even beyond the firm’s control, regarding users recycling the same passwords across multiple websites.
In order to assure that no genuine user credential will fall victim to the campaign, the company made a commitment to further secure their system. State Farm has not disclosed what the hackers did after they had successfully infiltrated their victims’ accounts. The company also has not revealed exactly how many accounts were successfully infiltrated through credential stuffing.
“If you use the same password for other online accounts, reset those, too. While it is often easier to return to a previous password that is easy to remember, a bad actor may have already obtained your user ID and password and may use it to access your online accounts with State Farm or other companies,” added the report.
There is no news whether State Farm will provide a free credit report monitoring for the victims, however, the company itself strongly recommends them to sign-up for such service for the next 24 months just to be safe. The Federal Trade Commission and the Attorney General were informed about the case, and the company committed to fully cooperate with law enforcement authorities.
“You may place a security freeze (also known as a credit freeze) on your credit file. A security freeze is designed to prevent potential creditors from accessing your credit report at the three national credit agencies without your consent. You must separately place a security freeze on your credit file at each,” concluded State Farm.
According to the California Attorney General’s office, the campaign started July 6, 2019 Saturday. It was then followed by another wave on July 8, July 12, July 13, July 14, July 17, July 19, July 20 and the last detected campaign took place July 22, 2019.