Credential stuffing hinges on the fact that many people re-use passwords between different accounts, and that there are certain simple password patterns that many people rely on.
United States-based insurance giant State Farm recently mailed out a data breach notice to some of its customers. The description of the incident indicates that the company was hit with a credential stuffing attack, with an unknown amount of customer accounts compromised. The attacks appear to have taken place intermittently throughout the month of July.
The breach notification indicated that a ” … bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt access to State Farm online accounts.” Users that received a notification apparently had their account compromised, but State Farm indicates that “no sensitive personal information was viewable” and that “no fraudulent activity occurred.” Account passwords were reset for the affected customers.