State Farm Suffers from Credential Stuffing Attack

State Farm announced its embroilment in the recent credential stuffing attack. The United States banking and insurance company said that happened in July 2019. Following the incident, State Farm notified affected customers.

Credential stuffing attackers are data breaches which take information leaked from previous data breaches outside the company concerned. Hackers and attackers use this information to hopefully gain access to customer accounts on various websites or platforms.

According to ZD Net, the banking and insurance giant confirms that usernames and passwords of clients remain compromised. However, the firm is confident that there are no fraudulent or unauthorized activities in the accounts confirmed.

The data information mined from account holders focuses on managing insurance claims. Customers of the business also rely on their account for bills payments, transfer funds, and the like.


State Farm Suffers from Credential Stuffing Attack

In a statement, State Farm reveals that it discovered the credential stuffing attack last July 6, 2019. The company declined to comment on the number of accounts affected by the breach. The bad actor reportedly obtained information from an outside source, such as the dark web.

Despite refusing to comment on the affected number of accounts, Threatpost’s report reveals otherwise. In its article, the news site shares State Farm provides service to 83 million households in the United States.

Apart from notifying customers, the business reset the password for the account. The firm enacted these decisions to avoid bad actors and hackers from gaining access to sensitive data, says ZD Net. In its press release, State Farm says it also conducted an investigation on the issue.

A company spokesperson said to ZD Net that they “have implemented additional controls.” In addition, they have also “[evaluated] our information security efforts to mitigate future attacks.”


Besides these security measures, the company also urges its customers to change their passwords on a regular basis. Moreover, the corporation believes that enabling multi-factor authentication approach may also lessen future attacks, alongside regularly reviewing personal accounts.

Series of Credential Stuffing Attacks

State Farm is not the first institution to suffer a credential stuffing attack. 3.5 billion incidents involved financial and banking institutions for the past year and a half, states ZD Net.

Threatpost shares that Dunkin’ Donuts also fell victim to the series of incidents which happened in 2018. The two separate attacks happened in February and November of last year.

Other companies who fell victim to these attacks include HSBC, Reddit, Deliveroo, Sky, Basecamp, and DailyMotion.