The good hands at State Farm managed to let slip through a credential stuffing attack, but the company does not believe any information was leaked or viewed by the malicious actor.
In a letter to the customers affected, State Farm said the attacker used login credentials most likely procured on the dark web and then attempted to utilize them to access their State Farm account. So far the only result of the attack was the hacker receiving a confirmation that the user name and passwords used were valid for the account.
“No sensitive personal information was viewable. After a review of your online account, we have also confirmed that no fraudulent activity occurred,” State Farm said in the letter.
The company has completed a force password reset for its customers and is requesting that those people reset their credentials once again and if their compromised State Farm credentials are used with other accounts that those too should be reset.
“Credential stuffing attacks are becoming a frequent threat as companies such as PCM, Sky and Dunkin’ Donuts have all learned this year. The fact is that the credential stuffing attacks are just one attack vector companies must be prepared to defend against,” said Vinay Sridhara, CTO, Balbix.