State Farm Suffers Credential Stuffing Attack: Experts Comment

State Farm Suffers Credential Stuffing Attack: Experts Comment

Yesterday, U.S. insurance provider State Farm disclosed they suffered a credential stuffing attack earlier this year.

State Farm released an email notification to potentially affected customers on the matter. State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt to access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.”

However, it does not appear the hackers responsible obtained any personally identifiable information from the credential stuffing attack. Moreover, State Farm did not detect any fraud resulting from the threat. The threat actor(s) did gain access to usernames and passwords, and their identity remains unknown. 

Additionally, State Farm has reset all passwords for accounts affected by the credential stuffing and contacted the relevant regulatory agencies. The insurance provider did not answer questions as to the number of impacted accounts. 

State Farm and Credential Stuffing: The Experts

On the surface, this hack should barely merit notice. After all, we don’t know how many users ended up affected by it, and the damage seems minimal at worse. However, the State Farm attack does matter, because it illustrates the dangers of credential stuffing. 

For more, we turn to the experts: 

Vinay Sridhara, CTO, Balbix

Credential stuffing attacks are becoming a frequent threat as companies such as PCM, Sky and Dunkin’ Donuts have all learned this year. The fact is that the credential stuffing attacks are just one attack vector companies must be prepared to defend against. Organizations are tasked with the cumbersome burden of continuously monitoring all assets across hundreds of potential attack vectors to detect vulnerabilities. 

This involves analyzing tens of billions of time-varying data signals, a task that is not a human-scale problem anymore. They key to thwarting future attacks like what State Farm has suffered is to leverage security tools that employ AI and ML to observe and analyze these data points in real-time and derive insights to prioritize which vulnerabilities to fix first, based on risk and business criticality. Proactively managing risk must become the new norm.

Anurag Kahol, CTO, Bitglass 

This hack could have been prevented if the company used dynamic identity and access management solutions that can detect potential intrusions. Organizations should authenticate their users in order to ensure that they are who they say they are before granting them access. Fortunately, multi-factor authentication (MFA) and user and entity behavior analytics (UEBA) are two tools that can help companies to defend customer information as well as the rest of their corporate data.

Additionally, people commonly reuse passwords across multiple accounts, which means if a cybercriminal gains access to login information for one account, they can potentially gain access to various accounts for that individual across multiple services. Although State Farm has reset account passwords after hackers gained access to its systems, other accounts for those users could still be in jeopardy. Customers should change their passwords not only for State Farm but across all accounts where that same password may be used. Better yet, they should stop using the same passwords across multiple accounts altogether. 

Thanks to our experts for their time and expert commentary on Credential Stuffing. Additionally, you can learn more in our 2019 Identity Management Buyer’s Guide.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner