Banking and insurance giant State Farm said it suffered a credential stuffing attack during which “a bad actor” was able to confirm valid usernames and passwords for State Farm online accounts.
State Farm said it reset account passwords to all impacted accounts to prevent future abuse from the bad actor.

“Trends in the auto insurance industry in 2018 were good for State Farm as rates went up 5% industry-wide. This enabled the company to earn about $81.7 billion in revenue and maintain its position as the Fortune 36 organization. Unfortunately, with the news of this breach, the insurance giant’s customer trust and brand image will be significantly affected, and there are likely to be additional consequences from the Federal Trade Commission, once more details are revealed about the incident.
Credential stuffing attacks are becoming a frequent threat as companies such as PCM, Sky and Dunkin’ Donuts have all learned this year. The fact is that the credential stuffing attacks are just one attack vector that the companies must be prepared to defend against. Organizations are tasked with the cumbersome burden of continuously monitoring all assets across hundreds of potential attack vectors to detect vulnerabilities. This involves analyzing tens of billions of time-varying data signals, a task that is not a human-scale problem anymore. They key to thwarting future attacks like what State Farm has suffered is to leverage security tools that employ right AI and ML techniques to observe and analyze these data points in real time and derive insights in order to prioritize the vulnerabilities that need to get fixed first, based on several global factors such as availability of exploit code, publicly available password information available from past breaches and environmental factors such as risk and business criticality, and mitigation controls in place. Proactively managing risk must become the new norm and is a requirement for successful cyber practice.”
That password we used hundreds of times in the early 2000’s has come back to haunt us. People shouldn’t reuse passwords. But people still do and criminals know this. Adopting good password practices, such as the use of password managers and multi-factor authentication and changing passwords immediately upon receiving notification that your account has been compromised, can go a long way in mitigating against credential stuffing attacks.At the same time, it’s also up to companies who operate websites and applications to prevent themselves from becoming testbeds for valid credentials. Preventing one person or one IP from submitting more than just a handful of logins or even the same one is important, both in the total amount they are trying and how fast they can submit. Using tools like captcha, email magic links, rate limiting, browser detection and generally thinking about how a login page can be abused can all contribute to removing a website from the field of play for credential testing/stuffing.