BlaBlaCar Prevents Account Takeovers with DataDome & Google Cloud
The post BlaBlaCar Prevents Account Takeovers with DataDome & Google Cloud appeared first on Blog – Datadome.
With over 100 million members, BlaBlaCar is the world’s largest car-sharing community. Hosted on Google Cloud Platform, the website and mobile app serve a large and valuable user base, which makes it a prime target for fraudsters seeking financial and personal data. The company turned to DataDome to provide highly scalable and real-time protection without impacting website performance or user experience. This successful partnership enabled the company to eliminate account takeover, carding, and other attacks with AI-powered protection.
The challenge: Account takeover leading to payment or stored value diversion for fraud
After observing a number of unusual and inexplicable load spikes, the BlaBlaCar team discovered the irregular traffic was due to bots trying to take control of user accounts on the site, so they began to closely monitor the behavior of the bots. Account takeover (ATO) attacks, carried out by “impersonator” type bots, usually exploit login-password databases that have been stolen from other sites.
In order to try to take control of user accounts, the bots use the “brute force” technique: they access the login forms and very rapidly test all the stolen login-password combinations, often in the hundreds of thousands. Since many people tend to use the same login-password combination on multiple sites, the success rate of ATO attacks can attain 8%.
But what, exactly, were the bots (or the fraudsters driving them) trying to achieve?
In account takeover attacks, bots have a dual objective: to collect as much personal data as possible (name, postal address, email, telephone, etc.), but also to exploit various means of payment linked to the accounts.
Carding, for example, consists of using stolen card numbers to make purchases via spoofed accounts. Attackers also try to retrieve coupons and credit coupons to use or resell. Therefore, it’s important to protect coupon sites from bots.
By closely observing the bots’ behavior, BlaBlaCar discovered that certain bots had industrialized a process to modify the transfers between community members, in order to divert them for their own benefit.
Adding to the complexity was the platform’s geographical diversity. BlaBlaCar operates in 22 countries, each with its own unique fraud landscape. In Europe for instance, attackers favored brute force credential stuffing. In Asia, the focus was on SMS pumping scams, exploiting systems to generate excessive charges. The variety and sophistication of the threats demanded a solution that could adapt to these regional challenges without compromising the seamless experience that BlaBlaCar’s users had come to expect.
BlaBlaCar managed to foil the attacks before any harm was done to its customers, but protection against the threats required constant monitoring and daily updates. The BlaBlaCar team soon realized that it would be more efficient to use a dedicated solution, and they carefully selected DataDome.
The solution: Seamless integration with Google Cloud & optimized performance for BlaBlaCar
BlaBlaCar’s revenue comes primarily from its website and mobile app, both hosted on the Google Cloud Platform. Therefore, it was crucial to find a bot and fraud mitigation solution that would integrate seamlessly with their existing Google Cloud infrastructure and services. The implementation and installation of the DataDome module were therefore carefully monitored, in order to ensure they didn’t affect site stability or user experience.
The main concern was performance. Since DataDome validates 100% of incoming traffic requests in real-time, the module is positioned at a critical point for any website or app. BlaBlaCar’s team needed assurance that DataDome’s infrastructure could handle all its traffic and scale seamlessly on Google Cloud.
Latency is another key element of the user experience that Francis had no intention of compromising on. But thanks to the performance of 30+ global PoPs providing protection at the edge, close to users, all performance thresholds for BlaBlaCar applications have been optimized:
“Latency is extremely well managed on the DataDome side,” Francis continues. “If there is any degradation, it’s only a few milliseconds, which is largely acceptable, especially when you consider the value we get in return for the service.”
During the implementation process, it was necessary to ensure that no personal information related to users was sent to DataDome as part of the information exchange on incoming BlaBlaCar traffic.
It wasn’t just about stopping credential stuffing. DataDome’s technology could identify and neutralize more complex threats, such as bots mimicking human behavior or rotating through proxy networks to evade detection. And while stopping attacks was critical, ensuring compliance with privacy regulations like GDPR was equally important. DataDome’s design ensured that no personal user data was shared, providing BlaBlaCar with robust protection without compromising user trust.
The result: User accounts protected from known & new bot behaviors
Since the DataDome solution was activated, BlaBlaCar’s user accounts have been fully protected without any need for maintenance. DataDome’s technology, which is based on a machine learning process and pools data from all the protected sites, makes it possible to detect both known bots and new behaviors. It therefore doesn’t require any daily intervention on the part of BlaBlaCar’s technical team.
For Francis, the main challenge in a secure environment is to remain alert. In this respect, the daily report sent by the DataDome service, which presents detailed data and indicators on bot traffic to BlaBlaCar, is very useful.
“To see every day the magnitude of the threat, and to verify that it is, in this way, identified and countered, is reassuring,” Francis observes.
The true test of the partnership came during a period of intense pressure. Shortly after acquiring BusFor, a major Eastern European bus carrier, BlaBlaCar faced a wave of attacks targeting the new systems. The geopolitical situation in the region only heightened the stakes. But with DataDome already in place, BlaBlaCar was able to deploy protections rapidly, ensuring uninterrupted service during a critical time.
As the dust settled, BlaBlaCar began leveraging the insights from DataDome to refine its own internal defenses. The team built new fraud detection models and shared learnings across departments, from engineering to customer support. Together with DataDome, BlaBlaCar wasn’t just reacting to threats—it was staying ahead of them.
More than 8 years later, BlaBlaCar continues to closely monitor the integrity of account credentials on the site, as well as the nature of bots crawling the site and mobile application. As the platform continues to grow and evolve, so too will the threats it faces. But with DataDome by its side, BlaBlaCar is ready. And for its 40 million members, that means peace of mind on every journey.
*** This is a Security Bloggers Network syndicated blog from DataDome authored by Paige Tester. Read the original post at: https://datadome.co/customers-stories/blablacar-account-takeover/
