Account takeover (ATO) has become a significant threat to online platforms and consumers, costing billions annually. With the increasing digitization of services, threat actors have found numerous ways to exploit stolen credentials, resulting in account takeovers across various sectors. The challenge for organizations lies in balancing strong security measures with a seamless user experience, a delicate trade-off that often pits usability against safety. But ignoring ATO threats is no longer an option, given the scale of financial and reputational damage associated with these attacks.

The Growing Threat of Account Takeover

Cybercriminals have honed their techniques for leveraging stolen passwords across platforms, taking advantage of several factors:

• Access to Stolen Credentials on the Dark Web: Breached credentials are widely available for purchase and use in automated attacks.
• Password Reuse: A vast majority of users—around 85%—reuse the same password across multiple websites, creating an easy avenue for hackers.
• User Convenience: Customers prefer simple, easy access to their accounts. When security measures are too burdensome, users disengage.

Striking a balance between security and convenience is the core challenge for organizations. Increasing security measures, like multi-factor authentication (MFA), doesn’t fully resolve the issue and can potentially frustrate users. Organizations must understand the mechanics of account takeover fraud, its causes, and how to address the problem without alienating users.

Understanding How Account Takeover Occurs

In 2024, Enzoic researchers discovered a staggering 600,000 breached credentials appearing on the Dark Web each and every hour. Attackers use a variety of methods to collect passwords, including phishing, malware, and direct hacks on corporate systems. Once obtained, stolen credentials can be monetized, even targeting organizations unrelated to the initial breach.

The widespread reuse of credentials allows attackers to leverage low-value breaches to conduct more severe attacks elsewhere through a technique known as credential stuffing.

Credential Stuffing: A Preferred Attack Method

Credential stuffing involves taking a set of stolen usernames and passwords from one site and using them to attempt logins on multiple other sites. Automated tools and botnets allow attackers to perform massive-scale attacks, submitting millions of login attempts across many platforms. These attacks are difficult to detect, as each login attempt uses different IP addresses and employs sophisticated techniques to evade detection.

Credential stuffing has become incredibly widespread, with Akamai reporting 61 billion attempts in 2023. Even a small success rate in these attacks can have devastating consequences, from financial fraud to data theft, making this one of the most lucrative forms of cybercrime today.

Real-World Impact: Snowflake’s ATO Incident

A notable case in 2024 involved Snowflake, a cloud data platform. Though Snowflake itself wasn’t breached, attackers used credentials exposed in other breaches to target its customers, demanding ransoms of $300,000 to $5 million.

Enzoic researchers had flagged these compromised credentials in their database years earlier, emphasizing the importance of proactive monitoring to prevent ATO incidents before they escalate.

All Online Accounts Are at Risk

While consumer-facing organizations are heavily impacted by financial fraud, other types of organizations are also affected. In today’s app-driven economy, where every business operates as a software business, the range of accounts that interest cybercriminals has expanded significantly.

• Bank Accounts: Stolen credentials allow unauthorized access, leading to financial losses for account holders and institutions.
• Credit Card Accounts: Identity theft and unauthorized purchases are common issues.
• Online Retail Accounts: Hackers place fraudulent orders, leading to revenue loss and damage to business reputation.
• Online SaaS Services: Applications and email accounts are exploited for phishing and other illegal activities.
• Online Streaming Services: Accounts are hacked to resell access through illegal streaming services.
• Gaming Sites: Young and inexperienced users are targets, with compromised accounts sold on the Dark Web.
• Loyalty Programs: Points and rewards, such as in the recent Chick-fil-A credential stuffing attacks, are drained and sold in illicit markets.

The broader range of account types being targeted underscores the need for comprehensive account protection across industries.

The Hidden Costs: Customer Attrition and Brand Damage

While the financial losses from ATO are significant, organizations also face reputational damage. Studies show that 76% of customers are likely to abandon a brand after experiencing account takeover. Beyond direct monetary losses, the erosion of trust can lead to long-term consequences, such as lost customer loyalty and diminished brand reputation.

The Limitations of MFA 

Though MFA adds a layer of security by requiring an additional identity verification step, its adoption remains low. For example, only 22% of Microsoft’s Azure AD customers use MFA, and Google reported that only 45% of users had enabled MFA on at least one account. Even when used, MFA reduces takeovers by only about 50%, highlighting its limitations.

Furthermore, MFA is vulnerable to specific attacks, like SIM-swapping, which was on the rise in 2023, allowing attackers to bypass SMS-based verification.

The Role of Password Monitoring in ATO Prevention

While MFA is a useful security measure, it’s not sufficient on its own. Password monitoring offers an additional layer of protection by identifying compromised credentials before they can be used in an attack. Continuous monitoring allows organizations to detect when user passwords have been exposed and prompt a password reset before the account is compromised.

How Enzoic’s Password Monitoring Works

Enzoic’s team of threat researchers actively monitors and collects data from the Dark Web, as well as from public breaches, continuously gathering compromised credentials and other sensitive information. This data is then transformed into actionable intelligence, enabling organizations to proactively detect and prevent potential security threats. By integrating this intelligence into the authentication process, Enzoic ensures that credentials are screened in real-time during login attempts, account setups, and password resets. This approach allows organizations to block compromised passwords before they can be exploited, without requiring any additional steps or interruptions for the end-user. The entire process operates seamlessly in the background, maintaining a smooth and secure user experience while strengthening overall account security.

Enzoic’s monitoring solutions can be integrated into both internal systems like Active Directory and external login flows, enabling organizations to protect their users and customers from ATO threats. By preventing the use of compromised passwords, whether for employees or end-users, Enzoic helps mitigate ATO risks in real-time. This capability extends beyond simple password management, offering comprehensive protection against credential-based attacks across a variety of use cases, ensuring security for both internal accounts or external customer-facing systems.

Conclusion: Balancing Security and User Experience

Preventing account takeover fraud is no longer a question of “if” but “how.” While solutions like multi-factor authentication provide some protection, organizations need proactive measures, such as password monitoring and real-time credential screening, to combat these threats effectively. Balancing security with a smooth user experience is crucial to protecting customers without driving them away.

Enzoic’s solutions offer a way for businesses to stay ahead of the evolving threat landscape while maintaining user-friendly interactions. By leveraging advanced threat intelligence, organizations can prevent credential stuffing and account takeovers without compromising usability. Read the e-book on how to tackle account takeover without compromising user experience.

*** This is a Security Bloggers Network syndicated blog from Blog | Enzoic authored by Enzoic. Read the original post at: https://www.enzoic.com/blog/tackle-account-takeover/