Account Takeover

What is Account Takeover?

Account Takeover occurs when either an attacker uses stolen credentials and automation to login (Credential Stuffing) or where they repeatedly try to guess the password (Credential Cracking/Brute Force Attacks). In both attacks, bots are at the heart of the process


Account Takeover is where people are using bot traffic to attempt to gain control of user accounts within your system. The two most common approaches to account takeover involve varying methods to identify legitimate user accounts.

Credential Cracking or Brute Force Attacks is trying to guess passwords for known usernames/email addresses, usually by matching with dictionaries of commonly used passwords.

Credential Stuffing is taking lists of known email and password combinations (usually obtained from other security breaches) and trying them out on alternative sites, knowing that many people will re-use the same password on multiple sites. These lists are readily available on the dark web and increase in value if the passwords have been validated on multiple sites. This means that other companies security breaches really are your problem.

Account Takeover may be undertaken to extract value from the account or the services the account has access to or it may simply be to harvest personal data or validate the password combination.

Account Takeover attempts are happening regularly on virtually any website that has a login function.


How we prevent account takeover

Account Takeover is a very valuable industry but also a widespread problem with the perpetrators varying vastly in levels of sophistication.

Netacea use a range of approaches to detect Account Takeover activity. At a simple level the built in reputational analysis and blacklists of known bad actors can easily weed out the less sophisticated attempts.

However, this pool is rapidly shrinking as more complex tools are developed and become more widely available. To address the remaining attacks, Netacea has developed the leading, artificial intelligence based Account Takeover detection tool currently available.

Netacea Intelligence uses advanced machine learning techniques to detect Account Takeover attempts by spotting patterns of behaviour that indicate suspicious behaviour. This includes spotting indications of an upcoming attack, such as large amounts of fake account creations that can be used to camouflage an Account Takeover Attack, as well as actual attacks themselves.


Netacea has successfully managed to reliably identify and mitigate Account Takeover attempts from a wide range of businesses using our behavioural algorithms. One recent large ecommerce site we mitigated was attacked using a widely distributed botnet across 138 countries, rotating thousands of IP addresses and user agents, and attempted to login over 500,000 times over days. The IP rotation was very rapid, and country based blocking would have resulted in blocking billions of potential customers. These ATO attempts were geographically split over the multiple countries, in multiple time zones and continents, and had no discernable geographic pattern.

These latest 'slow and low' attacks are designed to be under the radar for normal WAF threshold detection rates, and are 'blended' in with login-ins to fake accounts created in advance. This allows the attack to blend into a normalised threshold of login success, and won't be detected by regular threshold analysis.

For more on the actual account take over attempts we've seen click here