The American Insurance Company State Farm fell victim to one "Credential stuffing" attack. This is a subcategory of brute-force attacks. The hackers use different violated credentials (from other companies' data breaches), import into sites and gain access to accounts users who use these credentials.
Thus, State Farm began sending email notifications to customers affected by the attack.
In that "data breach notification », State Farm said:
"State Farm recently discovered a safety issue where one malicious the hacker used a list of usernames and passwords, obtained from another source, such as dark web, and used them to access on-line State Farm accounts. During our investigation, we found out that the hacker had credentials for your State Farm account. "
The company claims that the hacker has acquired his username and passwords access Some clients, but there is no evidence that they are used for other malicious activities. State Farm claims that the hacker could not see other personal information.
After an investigation, the company discovered the accounts of the affected users and proceeded to reset of passwords.
According to a data breach notification filed with the California Attorney General's Office, the first attack, discovered, was on Saturday 6 July 2019. Immediately following the other attacks: Monday 8 July, Friday 12 July, Saturday 13 July, Sunday 14 July, Wednesday 17 July, Friday 19 July, Saturday 20 July and Monday 22
No more information at this time.
"Credential stuffing" attacks are becoming more and more common
"Credential stuffing" attacks are becoming more common as hackers take advantage of the numerous violations corporate data and gain access to user credentials.
One report showed that in the second half of 2018 they were 28 billions of "credential stuffing" attacks.