United States based insurance company State Farm has begun to send out email notifications to users whose online account login credentials were discovered by an attacker during a credential stuffing attack.

A credential stuffing attack is when attackers compile usernames and passwords that were leaked from different company's data breaches and use those credentials to try and gain access to accounts at other sites. This type of attack works particularly well against users who use the same password at every site.

In a "Notice of Data Breach" sent to users impacted by this breach, State Farm says:

State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.

State Farm states that a bad actor was able to confirm the username and passwords of impacted users, but that no personal information was viewable and that fraudulent activity was not detected. It is not known, based on the data breach notification, if the attackers actually logged into the accounts as well.

Portion of State Farm Notification

In response to these attacks, State Farm reset the passwords for accounts whose login credentials were confirmed by the attacker.

According to the data breach notification filed with the Office of the California Attorney General, the first detected credential stuffing attack was on Saturday, July 6, 2019. Subsequent attacks were on Monday, July 8, 2019, Friday, July 12, 2019, Saturday, July 13, 2019, Sunday, July 14, 2019, Wednesday, July 17, 2019, Friday, July 19, 2019, Saturday, July 20, 2019, and Monday, July 22, 2019.

BleepingComputer received the following statement from State Farm regarding these attacks:

"Beginning on July 6, 2019, State Farm discovered a bad actor or actors attempting to gain access to customer’s accounts using a list of user IDs and passwords from other sources. To defend against the attack, we reset passwords for these online accounts in an effort to prevent additional attempts by the bad actor. We have implemented additional controls and continue to evaluate our information security efforts to mitigate future attacks. Large companies see cyber security attacks on a regular basis. We take the security of all customer information seriously, and we regularly monitor our networks and test the strength of our security to remain vigilant against increasingly sophisticated cyber security threats. Incidents like this remind us we all must continue to exercise diligence to protect our personal information. We encourage customers to regularly change their passwords to a new and unique password and review all personal accounts for signs of malicious activity. "

Credential stuffing attacks becoming common

Credential attacks are becoming more common as data breaches expose the account credentials of their users.

Knowing that many people use the same password at numerous sites, attackers capitalize on this by compiling these exposed credentials and attempting to access other accounts that the user may have.

It has gotten so bad, that the 2019 State of the Internet report by Akamai states 28 billion credential stuffing attempts were detected in the second half of 2018.

These types of attacks have caused companies like TripAdvisor to monitor data breaches for exposed accounts and compare them to the login credentials of their own user accounts. When they detect a match, TripAdvisor invalidates the account and makes the user reset their password.

Update 8/8/19: Updated article with statement from State Farm.