US insurance firm State Farm has confirmed a credential-stuffing attack. In a letter to customers, the company reports a so-called "bad actor" used a list of user IDs and passwords obtained from outside sources to attempt to gain access to State Farm online accounts.
As part of the attack, the actor was able to confirm a valid username and password for affected accounts. No sensitive personal information was viewable, State Farm says, and no fraud has been detected. It has reset passwords to block future malicious activity by the same attacker.
In its notification letter, the insurer urges users to change passwords as soon as possible and to reset the password for other accounts that share the same one. Customers are encouraged to monitor their accounts and credit reports for the next one to two years and report suspicious activity to law enforcement, including the Federal Trade Commission and attorney general.
Read more details here.