At this very moment, there are at least 16 billion recently stolen login credentials available to hackers in various dark corners of the internet. That is, according to the Cybernews researchers who uncovered the massive breach, “a blueprint for mass exploitation…. account takeover, identity theft, and highly targeted phishing.”  

While account takeover (ATO) attacks can target both individuals and corporations, the methods, motives, and impacts often differ. ATO attacks on individuals are primarily motivated by financial gain through direct exploitation. With corporations, motives are more strategic, with the potential for scalable exploitation, such as data or intellectual property theft, ransomware deployment, reputational harm, or full systemic compromise through an admin or executive account. 

According to Abnormal Security’s 2024 State of Cloud Account Takeovers Report, over 75% of security leaders consider ATOs to be among the top four global cyber threats to their organizations. That’s not surprising, as account takeovers have increased by nearly 100% since 2019, with attacks rising 24% between 2023 and 2024 alone (Sift’s Q3 2024 Digital Trust Index). In large part, this is a result of the widespread availability of stolen credentials on the dark web, as noted, more extensive data breaches, and easy access to password-cracking tools. Therefore, the typical hacker “business model” in this field is to gain access to username and password databases wherever they can and then sell the data to someone else.    

The problem is that securing your own database of credentials may not be enough to prevent a successful ATO. With over 70% of people using the same credentials for multiple accounts across their online interactions, a data breach at another company can immediately put your systems at risk of account takeover as well. Even if just a small percentage of the compromised usernames are found in your organization, that could be all that’s needed to gain access. 

For example, in the spring of 2024, millions of customer records with login credentials and personally identifiable information (PII) were stolen by hackers from the cloud-based data platform provider, Snowflake. They then offered that data for sale on the dark web, which led to ATO attacks and widespread ransom demands, as well as class-action lawsuits, increased regulatory scrutiny, reputational harm, and reconsideration of cybersecurity measures.

How ATO attacks happen 

Attackers can attempt ATOs in a variety of ways, the most popular of which is password cracking (other options include targeting session tokens, exploiting technical weak points, and social engineering, which we won’t touch on in this blog). 

Credential stuffing

The most common technique for password cracking is credential stuffing, when stolen username-password pairs from one site or service are used to attempt to access another. The cyber security industry’s working assumption is that a minimum of 0.01% of any site’s credentialing database can be used to successfully access another site or service. So, for example, a database of one million users from a single site could enable a takeover of 100 accounts in a similarly sized community of users elsewhere. 

SpyCloud’s 2025 Identity Exposure Report confirmed a 70% password reuse rate for users exposed on the dark net in two or more breaches in the last year, while Security.org reported this year that 32% of ATO victims had other accounts with the same password taken over as well. For security personnel, this is a frustrating reality as the initial credential breach takes place in a service that is not under their control and the subsequent attacks are relatively easy to perpetrate.  

Email enumeration 

A rapid series of requests intended to discover whether specific email addresses exist within a system is called email enumeration. It can be the first step in credential stuffing or a standalone effort if the attacker doesn’t have access to paired passwords.  

Password spraying

Once the attacker identifies one or more usernames on the target site, they can initiate password spraying – rapidly trying a series of easy, common or default passwords (like “123456” or “Password1”) to access the account. When carried out across multiple accounts at a target organization, this tactic can often evade lockouts triggered by too many login attempts. 

A brute-force version of password spraying is the dictionary attack, in which attackers simply cycle through a list of possible passwords. This ATO tactic is becoming less and less effective with the increasing sophistication of password security.

Automated ATO tools

Hackers typically use tools like Playwright and Selenium to automate login attempts, as well as botnets and proxies to perform brute-force, password-spraying or credential stuffing attacks at scale. With intelligent bot automation, attackers can rapidly test different credential combinations on multiple sites, often mimicking expected human login behaviors to bypass bot detectors.

Mitigating the ATO risk

A key metric to consider when evaluating the risks arising from an ATO attack – and therefore how to prioritize your defenses – is its conversion ratio; i.e., the percentage of attempted intrusions that result in successful account compromises. For credential stuffing, this rate can be increased if the target site or service is related in some way to the site from which the credentials were stolen. Other factors include credential quality, with recent breaches tending to yield higher success rates, and the use of sophisticated bots designed to bypass basic protections. Smart hackers can use very recent, highly correlated lists to reach up to 10% of users registering at least an initial hit and higher conversion ratios. 

With that in mind, the most effective mitigation technique by far is multifactor authentication (MFA), especially when it is a default account access setting. Hackers are unlikely to have access to the second factor device or application; however, it is imperative that the same credentials not be reused to access the second factor system. Notably, the Snowflake breach was possible only because an initially compromised account did not have optional MFA enabled. 

Some companies cannot realistically mandate MFA across their entire userbase due to business considerations. And the percentage of people choosing MFA when it is voluntary is often very low. Many financial institutions have addressed this issue by only requiring secondary authentication (like entering a code sent via SMS) when a user wants to carry out actions such as withdrawing or transferring funds. However, this can still leave some critical information (PII and PCI) vulnerable to exploitation by successful ATO hackers.   

Additional measures that can be taken to protect your business and your customers from ATO attacks include a sound access management policy:   

• Enhanced password security: This means enforcing password complexity, uniqueness, and regular change requirements among all users of an online service. Other precautions include preventing the reuse of credentials or passwords known to have been leaked. 
• Pre-login session management: An effective tactic is embedding cookies, tokens, redirects, and even JavaScript files into the initial login page, turning user access into a tracked process. This modern login flow prevents users from skipping straight to the password page, as hackers often attempt to do, and ensures consistent credentialing across the user session. 
• One-time passwords (OTP): It functions as an MFA in that it is delivered to the user through a secondary system, device or application, such as SMS, email, authenticator apps, or hardware tokens. 
• Single sign-on (SSO): This can be seen as a form of MFA, as well, as it prevents users from logging in until they access a secondary website. While it may appear to add risk – by establishing a single point of failure – it also provides centralized access control for IT security measures and improved visibility into suspicious user behavior. 

ATO attempts using password cracking may initially be misidentified as a DDoS attack, due to the spike in traffic they entail. Smart hackers, however, will be careful to avoid the “DDoS effect” (i.e., causing a service to freeze up or crash due to a pipeline bottleneck). Several automated mitigation measures have therefore been developed to successfully identify and halt an ATO attack based on the pattern of attempted logins.  

• Rate limiting: A normal user typically logs into their account once or twice a day at the most, rarely with more than five consecutive failed attempts. Hackers, on the other hand, run millions of credentials with serial automated login requests, the vast majority of which fail. Setting a rate-limit rule that 10 requests in five minutes automatically triggers an account lock, for example, would effectively restrict such an attack. 
• Bot protection – credentials check: Login attempts can be automatically validated against suspicious username-password combinations, often by crosschecking user-entered passwords with databases of leaked credentials. This can be combined with rate limiting, such that an innocent user logging in normally would still be able to connect, but a rapid series of attempted logins using compromised data would trigger a full block. With up-to-date awareness of at-risk credentials, systems can significantly mitigate the use of stolen data in ATO attacks. 
• Friction during login: Measures like CAPTCHA challenges and biometric verification add steps to the authentication process that can differentiate humans from bots. In an effort to avoid too much disruption to user experience, automatic behind-the-scenes measures like device fingerprinting and behavioral analysis can introduce user friction (challenges) only when anomalies are detected. 

How key vendors have responded

In addition to the mitigation measures you can take independently, cybersecurity and web infrastructure vendors like Cloudflare, Imperva, and Radware have rolled out advanced features to combat ATO attacks. 

• Cloudflare has added automatic flagging of login credentials found in known data breaches, as well as Super Bot Fight Mode to detect the typical massive traffic signatures associated with credential stuffing and brute-force ATO attacks.
  Red Button assessment: Cloudflare’s combination of rate limiting and crosschecking various sets of leaked credentials is extremely useful in mitigating ATO attacks. 
• Imperva has introduced a service called Account Takeover Protection, which includes: intelligent behavioral analysis to identify and block bots used in ATO attacks across websites, mobile apps, and APIs; real-time risk scoring of login attempts; machine learning to detect evolving ATO tactics; and zero-day leaked credentials detection (automatic flagging of at-risk accounts).
  Red Button assessment: The features Imperva added were effective as a complementary ATO protection layer; however, in our estimation they are not sufficient as standalone measures. In part, this is because they seemed to rely more on IP reputation than on real-time user anomaly detection. 
• Radware leverages its Bot Manager to combat ATOs with: AI-powered real-time detection for flagging anomalies in login behavior; semi-supervised machine learning to identify ATO attempts; device fingerprinting; and user behavior modelling to minimize false positives.
  Red Button assessment: feature is really new and yet been evaluated.

The new ATO mitigation features reflect a shift among major vendors from static defense to adaptive, intelligence-driven protection. This pivot alone, regardless of the effectiveness of each specific tactic, is a noteworthy change that can improve cybersecurity. 

Proactive testing: ATO simulations 

ATO testing assesses the resilience of account services against unauthorized access attempts. By identifying strengths and vulnerabilities, you can proactively reduce the risk of data breaches and enhance user trust. 

Red Button’s methodology for ATO testing is to simulate the conditions and capabilities of likely external attackers. This means black-box testing, with minimal or no prior knowledge of the target system. We rely on publicly accessible information and thorough reconnaissance of the service, just as a hacker might do, in order to attempt bypassing existing ATO protections and to prepare for any contingencies. 

We use a globally distributed botnet and a massive database of publicly available compromised credentials to simulate various ATO attack scenarios. This high-volume automation provides insight into your exposure and evaluates how well your system can withstand real-world ATO attempts. 

Analysis of your login flow and ATO simulation testing uncovers hidden vulnerabilities, such as client-side JavaScript, encrypted cookies, and other under-the-hood mechanisms. A detailed report outlines what we found and provides clear, prioritized recommendations for remediation.

Three immediate takeaways

Even before undertaking ATO testing or implementing preemptive measures, we strongly recommend the following three preliminary steps to immediately lower your risk and improve your mitigation capabilities.  

1. Institute periodic password reset requirements and regularly delete dormant accounts. 
2. Identify accounts you suspect may have been compromised, block access to them, and enforce password reset. 
3. Design first-response and forensic analysis plans, so that your cybersecurity team will be able to quickly identify active or potential ATOs, respond accordingly, and carry out post-event analysis. 
4. Expand your threat intelligence by acquiring information from vendors about usernames and passwords that are known to have been compromised. You can then manually check for those credentials on your system. 

*** This is a Security Bloggers Network syndicated blog from Red Button authored by Gili Birchat El. Read the original post at: https://www.red-button.net/how-to-protect-your-enterprise-against-account-takeover-attacks/