Customer data from insurance and financial services group State Farm Mutual Automobile Insurance Co. has been stolen in a hack that used credential-stuffing.

That’s a process that uses account login details stolen in other hacks in an attempt to gain access on the presumption that many people reuse the same email and password across multiple sites.

The amount of data compromised has not been disclosed. State Farm both notified affected users and requestes that they reset their passwords.

“State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts,” the letter said. “During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.”

The first attacked was detected on July 6, with eight further attacks detected using the method through to July 22, according to a report Wednesday by Bleeping Computer.

“Credential-stuffing attacks are becoming a frequent threat as companies such as PCM, Sky and Dunkin’ Donuts have all learned this year,” Vinay Sridhara, chief technology officer at cybersecurity platform Balbix Inc., told SiliconANGLE.

“The fact is that the credential-stuffing attacks are just one attack vector companies must be prepared to defend against,” Sidhara said. “Organizations are tasked with the cumbersome burden of continuously monitoring all assets across hundreds of potential attack vectors to detect vulnerabilities. This involves analyzing tens of billions of time-varying data signals, a task that is not a human-scale problem anymore.”

Adam Laub, chief marketing officer at data security firm STEALTHbits Technologies Inc., noted that the burden of creating and maintaining unique username and password combinations really ends up falling on the shoulders of the weakest link: the user.

“It may be time for organizations to take matters into their own hands,” Laub added. “If end users can’t or won’t comply with the guidance being provided to keep their accounts safe, perhaps proactive analysis of user account passwords and forced remediation when they’re determined to be vulnerable to password guessing attacks may be the only way to address this particular attack vector.”

Photo: State Farm/Flickr