The firm, says the report, acknowledged the cyberattack, filing a data breach notification with the California Attorney General, and by sending out “Notice of Data Breach” emails to users whose online account log-in credentials were obtained by the hackers.
The insurer’s data breach notification email said,“State Farm recently detected an information security incident in which a bad actor used a list of user IDs and passwords obtained from some other source, like the dark web, to attempt to access to State Farm online accounts. During our investigation, we determined that the bad actor possessed the user ID and password for your State Farm online account.”
According to the report, State Farm confirmed in its “Notice of Data Breach” email that the attacker obtained usernames and passwords of some policyholders’ accounts, but no personally identifiable information was obtained and no fraud was detected. It is unknown if the attacker logged into accounts.