New Data Uncovers 300% Increase in Post-Breach Account Takeover Attempts

By Roy Urrico05.14.2018

Once data breaches take on a public life, websites experience a 300% increase in volumetric credential stuffing attacks, many aimed at financial authentications, with the weekends showing the greatest susceptibility.

That is among the revelations from San Francisco-based bot mitigation firm Distil’s “The Anatomy of Account Takeover Attacks,” based on data from 600 domains that include login pages. The findings come from the recently launched Distil Research Lab, a team of dedicated analysts who examine the most sophisticated automated threats for some of the world’s most attacked websites.

Hackers and fraudsters use bots to execute ATO attacks for a variety of purposes. They can validate login credentials, gain access to credit card data, and sell personally identifiable information on the darknet. They can also use stolen account data to transfer money, purchase goods, or spread political agendas.

Distil Networks found bad bots appeared on every website with login pages, which are among the most abused by hackers and fraudsters. The report analyzed patterns found in ATO attacks, named the most popular tools used to commit these attacks and categorized the three main types of ATO bot attack profiles.

The report also explained the contrasts between simple, moderate and sophisticated attacks, and provides defenders with advice on how to detect and prevent each type of attack.

Key findings include:

  • In the days following a public breach websites experience three times more credential stuffing attacks than the average of two-three attacks per month.
  • Fifty percent of ATO attacks come in the form of volumetric credential stuffing, where bad bot requests are easily identifiable and attempted in bursts, typically looking like a spike of requests above the baseline. The other half of ATO attacks are through low and slow credential stuffing and credential cracking, identified by consistent, continuous login requests that bad bots run 24/7, often flying under the radar due to its slow pace.
  • Smaller scale “test round” incursions preceded almost 20% of all analyzed attacks.
  • Thirty-nine percent of volumetric ATO attacks occur on a Friday or Saturday. Bot operators schedule attacks when it presumed that fewer security professionals will be around to notice anomalies.

Every time a breach comes to light and exposes consumer credentials, any business with a login page should prepare themselves for a swell of volumetric credential stuffing attacks, Anna Westelius, senior director of security research at Distil Networks said. “While bot operators may be purposeful in their strategy of carrying out ATO attacks, this data also renders them predictable. Organizations must educate themselves to identify the warnings signs and be prepared for times when an attacker may strike.”

Westelius explained a login attack involves a bot or script trying to automatically access a login endpoint. “Either to test sets of credentials or if they have a valid login they can use them somewhere else or to get access to information, PII, credit card data, to sell or distribute.”

Financial institution and fintech type attacks are more direct because of the monetary incentive or very, high value data. When it comes to non-financial data hackers just want to verify the validity of credentials for later use. “(Attackers) get access to so much more when it comes to financial institutions in comparison to other types of websites,” Westelius suggested. “So that’s really where we see the highest level of sophistication of attackers.”

“I would say that one of the surprising things is you would not expect absolutely every website to have these types of issues,” Westelius noted. She added Distil researcher were also a bit surprised as to the frequency of these attacks and the weekend liability “We had heard a lot of our customers are complaining about their security not being allowed to go home on Friday and having to work weekends to battle these problems. Attackers really think about when someone’s going to be there and try to adapt to when no one’s going to notice alarms going off.”

Reprinted with permission from, an independent source for credit union news founded by Randy Smith and John Pettit.