BreachExchange mailing list archives
State Farm Investigates Credential-Stuffing Attack
From: Destry Winant <destry () riskbasedsecurity com>
Date: Fri, 9 Aug 2019 09:25:26 -0500
https://www.databreachtoday.com/state-farm-investigates-credential-stuffing-attack-a-12893 Insurer State Farm has been hit by a credential-stuffing attack designed to gain access to U.S. customers' online accounts, a company spokesperson confirms. The company's security team first noticed the attack on July 6. State Farm recently started to notify customers of the incident, according to ZDNet, which first reported on the incident after obtaining a copy of the company's notification letter. Bloomington, Indiana-based State Farm is one of the largest insurance brokers and financial services firms in the U.S. Its online services allow customers to transfer funds and pay bills. The State Farm spokesperson tells Information Security Media Group that an unknown hacker attempted to gain access to online accounts by using credentials obtained through dark net sites. The attacker was able to confirm usernames and passwords while attempting to log into customers' online accounts through a credential-stuffing attack, the insurer says, but the company has not confirmed any fraudulent activities. "State Farm discovered a bad actor or actors attempting to gain access to customers' online accounts using a list of user IDs and passwords from other sources," the company spokesperson tells ISMG. "To defend against the attack, we reset passwords for these online accounts in an effort to prevent additional attempts by the bad actor. We have implemented additional controls and continue to evaluate our information security efforts to mitigate future attacks." It's not clear how many customers were affected by the incident, and the State Farm spokesperson did not specify how many notification letters went out. "We encourage customers to regularly change their passwords to a new and unique password, use multifactor authentication whenever possible and review all personal accounts for signs of unusual activity," the spokesperson says. Credential Stuffing on the Rise Credential stuffing has emerged as one of the biggest threats to enterprises across the world. A 2018 report by security vendor Akamai found that companies were reporting nearly 13 credential stuffing incidents each month in which the attacker successfully identified valid credentials. The report also found that many enterprises lack proper security protocols to counter these types of attacks, which typically involve hackers using usernames and passwords stolen in other breaches in an attempt to attack other organizations by guessing combinations of names and passwords. The approach is effective because so many users reuse the same passwords for different accounts. In May, Fast Retailing, a Japanese clothing retailer, sustained a credential stuffing attack that exposed the details of its 460,000 online customers. That incident resulted in a hacker targeting the company's network to access data, which included email IDs and partial credit card numbers (see: Hack of Japanese Retailer Exposes 460,000 Customer Accounts ). Availability of Stolen Credentials The huge amount of stolen data that's available for use in credential-stuffing attacks came into focus earlier this year with the discovery of a massive collection of usernames and passwords seemingly available to anyone looking for them. In January, Troy Hunt, who runs the "Have I Been Pwned?" data breach search website, discovered one of the biggest collections of breached data, which he called Collection #1 (see: Data Breach Collection Contains 773 Million Unique Emails). Hunt traced the origin of the data to a number of files in MEGA, a popular cloud-based file sharing service. _______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- State Farm Investigates Credential-Stuffing Attack Destry Winant (Aug 09)