State Farm Says Hackers Confirmed Valid Usernames And Passwords In Credentials Stuffing Attack

Banking and insurance giant State Farm said it suffered a credential stuffing attack during which “a bad actor” was able to confirm valid usernames and passwords for State Farm online accounts.

State Farm said it reset account passwords to all impacted accounts to prevent future abuse from the bad actor.


EXPERTS COMMENTS
Aaron Zander, Head of IT,  HackerOne
August 09, 2019
Preventing one person or one IP from submitting more than just a handful of logins or even the same one is important.
That password we used hundreds of times in the early 2000’s has come back to haunt us. People shouldn’t reuse passwords. But people still do and criminals know this. Adopting good password practices, such as the use of password managers and multi-factor authentication and changing passwords immediately upon receiving notification that your account has been compromised, can go a long way in mitigating against credential stuffing attacks.At the same time, it’s also up to companies who operate websites and applications to prevent themselves from becoming testbeds for valid credentials. Preventing one person or one IP from submitting more than just a handful of logins or even the same one is important, both in the total amount they are trying and how fast they can submit. Using tools like captcha, email magic links, rate limiting, browser detection and generally thinking about how a login page can be abused can all contribute to removing a website from the field of play for credential testing/stuffing.

Join the Conversation

Join the Conversation


In this article