State Farm – the largest provider of US real estate accident insurance – was hacked in a credential attack. The firm immediately acknowledged the cyber attack by filing a data violation notice with the California attorney, and on Wednesday (August 07) it sent out a “Data Violation Notice” via email to users whose online account login credentials were obtained by the hacker.
The insurer ‘s data breach notification letter read: “State Farm recently discovered an information security incident in which a hacker used a list of user IDs as well as passwords obtained from some other source, such as the dark web, to try to access State Farm ‘s online accounts. During the investigation, we found that the bad actor owned the user ID and password for your online account on the state farm. “
This type of cyberattack is called credential stuffing. Attackers will buy or take usernames and passwords that were leaked from other companies’ data breaches and they will try to use those credentials to log-in to other accounts and sites. It works well against people who use the same password for lots of different sites – something many people are in the habit of doing.
State Farm, in an email to Notice of Data Break, fully confirmed that the hacker was able to obtain the user names and passwords of the accounts of some policyholders, but that no personal information or fraud was found, according to the Bleeping Computer report. It remains unknown whether the bad actor actually entered the accounts.
In addition to notifying affected customers, State Farm also reset all passwords for accounts whose data was violated by the hacker.
The number of cases using credentials is on the rise and a number have been reported this year. According to Aaron Z., head of HackerOne security, a provider of the error and vulnerability disclosure platform, retailers tend to be a prime target for identity attacks, but criminals also continue to target financial services companies.
“The password we used hundreds of times in the early 2000s came back to haunt us again,” Zander said. “Users should not reuse passwords. But people do it anyway and criminals know it well. Implementing advanced password practices, such as using password managers, multi-factor authentication, and changing passwords as soon as you are notified that your account has been hacked, can significantly mitigate the impact of identity attacks.
“At the same time, companies working with sites and applications must prevent them from becoming tests for valid credentials. It is important not to allow one person or one IP address to submit more than multiple logins or even the same as in the total volume they try and how quickly they can submit. Using tools like captcha, magic links to email, speed limit, browser discovery and general thinking about how a login page can be abused can help remove a website from the game area to test data. “