State Farm Data Breach – “Bad Actor” Was Able to Confirm Valid Online Account Usernames and Passwords

On August 7, 2019, reported (“State Farm says hackers confirmed valid usernames and passwords in credentials stuffing attack”) that State Farm “suffered a credential stuffing attack in July and is now notifying impacted customers.”

The story reported that

US banking and insurance giant State Farm said it suffered a credential stuffing attack during which “a bad actor” was able to confirm valid usernames and passwords for State Farm online accounts.

State Farm said it reset account passwords to all impacted accounts to prevent future abuse from the bad actor. The company is now notifying affected customers.

A State Farm spokesperson told ZDNet the company discovered the credential stuffing attack on July 6, 2019. However, the company did not respond to a direct question asking about the number of impacted accounts. [Emphasis added.]

According to, “[c]redential stuffing attacks are when hackers take username and password combinations that have been made public through security breaches at other companies, and use them to gain access to accounts on other services, hoping that users had reused passwords across accounts.” Further, reported that

[c]ompanies like ad blocker AdGuard, banking giant HSBC, social media site Reddit, video sharing portal DailyMotion, delivery service Deliveroo, enterprise tool Basecamp, restaurant chain Dunkin’ Donuts, tax filing service TurboTax, and UK telco Sky have all publicly acknowledged being on the receiving end of credential stuffing attacks in the past year alone.

Hackers typically use credential stuffing attacks to confirm passwords for online accounts, which they later resell online, on hacking forums or on the dark web. [Emphasis added.]

State Farm’s “Submitted Breach Notification Sample,” submitted to the California Attorney General, among other things, stated:

State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.

. . . 

During the attempted access, the bad actor received confirmation of a valid user name and password for your account. No sensitive personal information was viewable. After a review of your online account, we have also confirmed that no fraudulent activity occurred. [Emphasis added.]

Additionally, State Farm’s data breach notice stated that State Farm reset passwords “in an effort to prevent additional attempts by the bad actor.”

Have You Been Impacted by A Data Breach?

If so, please either contact Kehoe Law Firm, P.C. Partner Michael Yarnoff, Esq., (215) 792-6676, Ext. 804, [email protected], complete the form on the right or send an e-mail to [email protected] for a free, no-obligation case evaluation of your facts to determine whether your privacy rights have been violated and whether there is a basis for a data privacy class action.

Examples of the type of relief sought by data privacy class actions, include, but are not limited to, reimbursement of identity theft losses and of out-of-pocket costs paid by data breach victims for protective measures such as credit monitoring services, credit reports, and credit freezes; compensation for time spent responding to the breach; imposition of credit monitoring services and identity theft insurance, paid for by the defendant company; and improvements to the defendant company’s data security systems.

Data privacy class actions are brought on a contingent-fee basis; thus, plaintiffs and the class members do not pay out-of-pocket attorney’s fees or litigation costs.  Subject to court approval, attorney’s fees and litigation costs are derived from the recovery obtained for the class.

Kehoe Law Firm, P.C.