State Farm Breach Highlights Threat of Credential Stuffing Attacks

Bloomington, Ill.-based insurance and financial services firm State Farm said it suffered a credential stuffing attack in which “a bad actor” confirmed valid usernames and passwords for State Farm online accounts.

A State Farm spokesperson told ZDNet the company discovered the credential stuffing attack on July 6, 2019. The company, which filed a data breach notification with the California Attorney General, and on August 7 sent out “Notice of Data Breach” emails to affected online account users, did not reveal the number of impacted accounts.

In addition to notifying impacted users, State Farm said it reset all passwords for breached accounts.

Deepak Patel, security evangelist at PerimeterX, commented: “Credential stuffing is accomplished by hackers who take advantage of users who often reuse the same passwords across multiple online accounts.” Patel explained stolen credentials combined with personal information from previous breaches, can result in an account takeover. “The vast number of past data breaches means that the amount of credentials available on the dark web is massive.” Patel acknowledged this makes it more difficult than ever for website owners to protect against such attacks, even if their businesses were never involved in a breach. “In this case, hackers likely used automation – bots – to test permutations and combinations of credentials from the dark web until they found those that worked.” Patel added website owners must consider bot mitigation as part of their web application protection strategy to protect against the ongoing threat of ATO.

“As one of the world’s largest insurance and financial services organizations, State Farm possesses a high amount of sensitive information,” Anurag Kahol, CTO, Bitglass. “While it is not currently known how many customer accounts the attacker was able to access through the credential stuffing, State Farm reports it services 83 million policies and accounts in the U.S.” Kahol suggested this hack could have been prevented if the company used dynamic identity and access management solutions that can detect potential intrusions. “Organizations should authenticate their users in order to ensure that they are who they say they are before granting them access. Fortunately, multi-factor authentication and user and entity behavior analytics are two tools that can help companies to defend customer information as well as the rest of their corporate data.”

Kahol pointed out people commonly reuse passwords across multiple accounts, which means if a cybercriminal gains access to login information for one account, they can potentially gain access to various accounts for that individual across multiple services. “Although State Farm has reset account passwords after hackers gained access to its systems, other accounts for those users could still be in jeopardy.” Kahol said customers should change their passwords not only for State Farm but across all accounts using the same login credentials.

“Credential stuffing attacks are becoming a frequent threat as companies such as PCM, Sky and Dunkin’ Donuts have all learned this year. The fact is that the credential stuffing attacks are just one attack vector companies must be prepared to defend against,” Vinay Sridhara, CTO, Balbix.

Sridhara pointed out, trends in the auto insurance industry in 2018 were good for State Farm as rates went up 5% industry-wide. “This enabled the company to earn about $81.7 billion in revenue and maintain its position as the Fortune 36 organization. Unfortunately, with the news of this breach, the insurance giant’s customer trust and brand image will take a blow, and there may be additional consequences from the Federal Trade Commission once more details about the incident are revealed.”

Credential stuffing attacks are becoming a frequent threat as companies such as PCM, Sky and Dunkin’ Donuts have all learned this year, Sridhara said. “The fact is that the credential stuffing attacks are just one attack vector companies must be prepared to defend against.

Sridhara added, organizations must contend with the cumbersome burden of continuously monitoring all assets across hundreds of potential attack vectors to detect vulnerabilities. “This involves analyzing tens of billions of time-varying data signals, a task that is not a human-scale problem anymore.” Sridhara said they key to thwarting future attacks is to leverage security tools that employ artificial intelligence and machine learning. “Proactively managing risk must become the new norm.”

Stephen Moore, chief security strategist, Exabeam, said, “The most seasoned and well-resourced security teams can be easily overwhelmed by the volume of organizational alerts they receive in a day.” That complexity, when combined with the inherent difficulties of detecting credential-based attacks, creates an environment that lacks control and trust. “In this case, the security incident was likely the result of malicious actors using previously collected or breached login data to access accounts.”

Moore recommended, to remediate incidents involving user credentials and respond to adversaries, the key is to move fast and consider an approach closely aligned with monitoring user behavior. “This should include the ability to detect, using behavioral characteristics, when events have occurred – especially when it comes to customer–facing incidents.”

Bryan Becker, product manager & security researcher, WhiteHat Security, said, “The fact that hackers were able to gain access to State Farm accounts using credentials obtained from previous breaches of other applications reinforces the importance of setting a different username/password combination for every application you utilize as an end user.” Becker maintained it is essential for individuals to practice security mindedness when browsing the web to lessen the personal impact data breaches will have.

Becker provided some other tips for personal online security:

• Utilizing multi-factor authentication on any application that supports it.
• Only log into sites that sends credentials and other sensitive information over secure sockets layer. “A quick way to determine this is if the URL you are viewing is prefaced with ‘https://.”
• Whenever checking email with hyperlinks in a web browser, hover the mouse over the links and verify the links’ direction. The actual URL appears on the lower left corner of the screen. “It’s possible the blue highlighted URL is actually a disguised malicious link.”