State Farm, a US insurance company, has started to send email notifications to users whose online account login credentials were discovered by an attacker during the attack.
An attack on credentials is when attackers compile username and passwords that have been leaked by data breaches by different companies and use those credentials to try and gain access to accounts elsewhere. This kind of attack works especially well against users using the same password on all sites.
In a’ Data Infringement Notice’ sent to users affected by this infringement, State Farm says:
“State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account. “
State Farm states that a bad actor can confirm the username and passwords of affected users, but that no data is visible and fraudulent activities have not been detected. Based on data infringement notifications, it is not known if the attackers have also logged into the accounts.
Portion of State Farm Notification
State Farm will reset the passwords for the accounts, the login credentials of which have been confirmed by the assailant.
According to a notice of the data breach lodged with the California Attorney General’s Office, Saturday 6 July 2019 was the first credential stuffing attack detected. The following attacks took place on Monday, 8th July 2019, Friday, 12th July 2019, Saturday, 13th July 2019, Sunday, 15th July 2019, Wednesday, 17th July 2019, Friday, 19th July 2019, Saturday, 20th July 2019, and Monday, 22nd July 2019.
Credential stuffing attacks becoming common
Credential reinforcement attacks become more common when data breaches expose their users ‘ account credentials.
Knowing that many people use the same password on several websites, attackers capitalize on this by compiling the exposed credentials and trying to gain access to other user accounts.
It is so bad that Akamai’s 2019 State of the Internet report reveals that in the second half of 2018 28 billion credential filling attempts were identified.
These types of attacks have resulted in companies such as TripAdvisor monitoring data infringements for exposed accounts and comparing them to their own user account login credentials. TripAdvisor invalidates the account when detecting a match and makes the user reset his password.