United States-based insurance giant State Farm recently mailed out a data breach notice to some of its customers. The description of the incident indicates that the company was hit with a credential stuffing attack, with an unknown amount of customer accounts compromised. The attacks appear to have taken place intermittently throughout the month of July.
The breach notification indicated that a ” … bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts.” Users that received a notification apparently had their account compromised, but State Farm indicates that “no sensitive personal information was viewable” and that “no fraudulent activity occurred.” Account passwords were reset for the affected customers.
Potential scope of the State Farm attack
State Farm serves about 83 million households in the United States. The breach notification did not indicate how many of the company’s customers were compromised.
Things had been going well for State Farm prior to the incident. As Vinay Sridhara, CTO of Balbix, noted:
“Trends in the auto insurance industry in 2018 were good for State Farm as rates went up 5% industry-wide. This enabled the company to earn about $81.7 billion in revenue and maintain its position as the Fortune 36 organization. Unfortunately, with the news of this breach, the insurance giant’s customer trust and brand image will take a blow, and there may be additional consequences from the Federal Trade Commission once more details about the incident are revealed.”
This incident may not take a serious toll on State Farm as it was largely not due to an internal security failing. This is an even more likely outcome if it is true that no personal data was revealed to the attackers, although this is something that can be discovered during the course of an ongoing investigation.
Credential stuffing attacks originate from external sources, generally massive lists of known username and password combinations culled from previous data breaches. Still, some liability is possible as it is considered a security best practice to actively monitor these lists for the appearance of customer account names and passwords.
The prospects for State Farm could be more dire if it turns out that the attackers ended up getting access to accounts. State Farm accounts can contain stored payment methods and the ability to transfer funds, as well as a variety of sensitive personal data.
Credential stuffing: A growing threat
Credential stuffing hinges on the fact that many people re-use passwords between different accounts, and that there are certain simple password patterns that many people rely on.
When companies are hacked and username/password combinations are either leaked to the internet or made available for purchase from a source like the dark web or an underground forum, they are inevitably pulled into massive “combo lists” that attackers use in credential stuffing attacks. Though State Farm does not cite any particular combo list in their breach notification, it is highly likely that one was used.
Credential stuffing attacks differ from standard “brute force” password guessing attacks that hammer away at one particular website with lots of indiscriminate login attempts. Most cybersecurity systems will automatically lock out accounts and require secondary verification if too many incorrect login attempts are made in too short of a time frame. Credential stuffing attacks try a limited amount of username/password combinations that have some known likelihood of being successful at each website. They usually cast a wide net, however, trying many different websites one after the other.
Credential stuffing attacks have been directed against similarly large and high-profile businesses in recent months. Dunkin Donuts experienced two credential stuffing attacks, one in late 2018 and another in early 2019. The attackers took over the “DD Perks” accounts of customers, which are used to accrue loyalty points from purchases that can be redeemed in-store for food and beverage. In July, UK telecom giant Sky experienced a credential stuffing attack on customer email accounts as did London transit system Oyster on its customer payment accounts. And Fast Retailing, the parent company of a number of popular Japanese brands, saw just over 461,000 customer accounts become compromised in a May credential stuffing attack.
In April, Akamai reported that there were 30 billion credential stuffing attempts in 2018 – or at least 115 million per day. The majority of these were directed at retail chains and entertainment sites. Cyber criminals target retail sites because purchasing gift cards is one of the most popular means of turning access into profit and laundering money, and they target entertainment sites (like streaming services and gaming sites) as they are seen as softer targets with more lax security. In all cases, attackers can sell accounts that they take over on the dark web or use them as part of a scam.
Credential stuffing is also popular because it is largely automated. Non-technical attackers can obtain tools that do most of the work for them, and they draw on collections of leaked credentials that are now widely available.
Combating credential stuffing
The good news about credential stuffing is that it’s one of the easier attack types to stop.
Credential stuffing relies entirely on exploiting users that practice bad password hygiene. If the end user doesn’t share passwords between accounts and changes their passwords periodically, they have almost nothing to fear from this type of information security incident.
Of course, organizations can’t force their customers to practice good security hygiene. However, they may be able to steer them into it with policy and proactively police accounts for lapses and holes. As Adam Laub, chief marketing officer at STEALTHbits Technologies, observed:
“As already implied, unique username and password combinations are indeed the number one way to mitigate the effectiveness of credential stuffing attacks. However, the burden of creating and maintaining these unique combinations falls on the shoulders of the proverbial “weakest link” (i.e., the end user). It may be time for organizations to take matters into their own hands, though. If end users can’t or won’t comply with the guidance being provided to keep their accounts safe, perhaps proactive analysis of user account passwords and forced remediation when they’re determined to be vulnerable to password guessing attacks may be the only way to address this particular attack vector. The fear for businesses is obviously end user pushback, but with stiffening regulations and fines, the cost of end user frustration would appear to be minimal in comparison with non-compliance.”
This “nanny state” approach may be the only effective way to deal with the millions of potential end users who are simply never going to have cybersecurity awareness no matter what happens. Some companies, such as TripAdvisor, are already actively combing new breach collections for matches to member login credentials. If a match is found, TripAdvisor forces the user to change their password.