skip to Main Content

Account Takeover
(ATO) Attacks

Account Takeover

What is the Difference Between Credential Stuffing and Account Takeover?

Credential Stuffing vs. Account Takeover

“Credential stuffing” is sometimes used interchangeably with “account takeover,” but in reality, they are separate concepts. Account takeover is the result of successful credential stuffing.

Definition of Credential Stuffing

Credential stuffing is the actual process of inputting stolen username and password data into a login page, in an attempt to take over an account.

Imagine a scenario where an imaginary storefront accidentally leaves an Amazon EC2 instance unprotected, exposing their entire customer base’s usernames and passwords. Hacking Enterprises scrapes this login information and posts it to a public paste site, where attackers can take it and use it for themselves.

With this list in hand, an attacker can use a bot to perform a credential stuffing attack against various websites that hold high-value information. Because of the high rate of password reuse, an attacker can test these credentials against banks, health insurance, social media, or other login pages.

Once the attacker has a list of valid accounts and logins, then they can perform an account takeover attack and control the account as a fraudulent user.

Back to Top

What Do Attackers Gain in Account Takeover Attacks?

Goal of ATO Attempts = Monetary Gain

Malicious actors have much to gain after a successful account takeover attack – although the end goal results in monetary reward. Successful ATO attacks can play out in many ways, for example, attackers will:

  1. Leverage the user account for their own gain. After breaching the account, the attacker behaves as though they’re the legitimate account owner, abusing website functions for their own benefits. An attacker might transfer money, purchase products, or spread a political agenda.
  2. Sell stolen data on the dark web. Attackers gain access to valuable account information (e.g. stored credit card data and PII) and then sell this data to other threat actors, usually for the purposes of identity theft.
  3. Sell validated login credential pairs. Refined lists of tried-and-tested credentials are exceptionally valuable on the black market.

What Types of Organizations Are Targets of Account Takeover Fraud?

Account Takeover Attempts by Industry
This chart represents the proportion of customer events—indicators of attacks—that reached a defined threshold for account takeover attempts in July 2019

Account takeover has been a growing problem in a number of different industries that have embraced digital transformation and increased their online presence to generate sales. Due to the value of stolen accounts and the information they contain, hospitality and healthcare are among the biggest targets of ATO attacks.

Our data shows that these industries that have seen a rise in account takeover:

  • Hospitality
  • Healthcare
  • Retail
  • Media & Entertainment
  • Financial Services
  • Education

ATO Attacks by Vertical

As digital transformation pushes all industries online, virtually all verticals are targets for ATO attack.


Healthcare and insurance user accounts have highly valuable data that fetch a premium on the dark web, such as bank account numbers, credit card numbers, PII, and social security numbers. Malicious actors can fraudulently use stolen insurance information to fund their own medical procedures.

Financial Services

ATO attacks on banking and financial institutions can result in attackers gaining access to bank accounts, checking routing numbers, and PII. Using a breached bank account login, an attacker can transfer the money into another account, use the account number for fraudulent purchases, or resell the bank accounts as part of a verified list.

Retail & E-commerce 

Attackers that gain access to e-commerce accounts can transfer rewards points, execute fraudulent transactions, siphon personal information like addresses, capture credit card numbers, or resell the account as part of a verified list.

Back to Top

Types of Account Takeover Attacks

Account takeover can be executed in multiple different ways, depending on the attacker’s end goal, resources, and scale.

Credential Stuffing

Attackers execute credential stuffing by:

  1. Purchasing lists of leaked credentials (usernames and passwords)
  2. Testing combinations across different websites

Leaked credential lists vary in accuracy and quality, which are reflected in the price of the list on the dark web. Credential stuffing has a relatively high success rate because the usernames and passwords originate from a known source, plus many users select insecure passwords and reuse passwords.

Credential Cracking

Credential cracking occurs when attackers have access to a list of usernames, but not passwords. Attackers then search for the password using other tactics, including brute-force attacks, dictionary attacks, and phishing.

Email Account Takeover (Phishing)

Email account takeover, known as “phishing,” occurs when attackers leverage a list of email addresses without passwords. Attackers blast fake “phishing” emails to the list, often posing as a credible business, then trick recipients into clicking on fraudulent links. The link typically takes the users to a fake login page where they unwittingly enter their credentials. Phishing campaigns tend to target large lists with thousands of recipients, in contrast to spear phishing, which takes a more individualized approach.

Spear phishing is a more well-researched version of phishing that uses social engineering and background sleuthing to target individuals. Attackers send emails ostensibly from a known, trusted sender, which compels targets to share confidential information. For example, an attacker might use your email address to find your Facebook account, discover your brother’s name, then use an alias so the spear phishing email appears as a genuine message from your brother.

Call Center Fraud

Call center fraud is common in banking institutions in instances where attackers have lists of leaked usernames, passwords, and contact information. When trying to access bank accounts, the attacker will pose as a call center employee and call the account owner to verify PINs, security questions, or multi-factor authentication tests.

Back to Top

ATO Attack Prevention: Secure Applications from Fraud

How to Detect ATO Attacks Targeting Your Web App

Stopping an ATO attack requires complete activity visibility on your web application in order to understand your baseline web traffic. Monitoring tools can provide the insight needed to detect traffic anomalies that indicate attack.

Indicators of Attack

web traffic console account takeover
Dashboard monitoring web requests indicating account takeover

Once you’ve installed a monitoring tool and established a baseline of activity on your most vulnerable sites (e.g. login pages, password reset), you can now establish definitions and thresholds for unusual activity.

Common attack indicators for ATO include:

  • Excessive login attempts
  • Excessive password resets
  • An influx of activity from a single IP address
  • Login attempts from atypical geographic areas
  • Successful logins from suspicious IP addresses

An organization that observes these indicators on their web application can use the monitoring tool to slow it down, block it, or allow it to happen.

How to Secure Your Web Apps from Account Takeover Attempts

To successfully avoid getting compromised, you must first be aware that its applications are under attack. Prioritizing production visibility will help inform blocking decisions, ensuring that legitimate users have access and only malicious users are blocked.

A comprehensive web application & API protection (WAAP) platform secures your entire system, using a next-gen web application firewall (WAF) to monitor your traffic. Our WAF solution works automatically with minimal tuning, while integrating seamlessly with your existing business processes and application infrastructure. A next-gen WAF can block a range of advanced web attacks including ATO, DDoS, and SSRF.

Back To Top