Insurance company State Farm revealed that a digital security incident might have exposed their customers’ personal information.
In August 2019, ZDNet obtained a copy of a letter in which State Farm disclosed a data breach. The insurance company specifically revealed that a bad actor had conducted a credential stuffing attack. This type of operation is where digital attackers leverage user IDs and passwords from other sources like the dark web to try to access customer accounts.
The company clarifies what happened next in its data breach notice:
During the attempted access, the bad actor received confirmation of a valid user name and password for your account. No sensitive personal information was viewable. After a review of your online account, we have also confirmed that no fraudulent activity occurred.
This incident isn’t the first credential stuffing attack to make news in 2019. Back in early January, Reddit reset users’ passwords after it detected unusual behavior suggestive of bad actors attempting to perpetrate credential stuffing attacks. This was just a few weeks before bad actors targeted Dailymotion, a video-sharing technology platform, with credential stuffing attacks in order to hijack users’ accounts. Just a month later, Dunkin’ Brands Inc. (“Dunkin’”) said that bad actors had used credential stuffing attacks to target some DD Perks accounts.
State Farm revealed that it responded to this incident by resetting the passwords for all affected users. It then urged users to regain access to their accounts by creating a strong password that’s unique across all of their web accounts. Those users can refer to this resource as a means to create such a combination.
Users would also be wise to defend themselves against identity thieves. They can do so by implementing two-factor authentication (2FA) whenever this option is available and by enabling a VPN. They can further reduce the risk of identity theft using these recommendations.