Account Takeovers: Why Someone Else’s Data Breach is Your Problem.

Sacre Bleu! French marketing firm Octoly are the latest victims in an ever-growing list of cyber security attacks that have obtained user credentials.

One of the instances of Octoly’s Amazon Web Services (AWS) was successfully attacked last week, resulting in the theft of 12,000 social media personalities’ confidential data by cyber criminals.

A successful breach like this is designed to enable financially driven cyber criminals to perform account takeovers on other online services or to sell those credentials on the dark web.

Octoly work with global brands such as Dior, Mac and Clarins, who send their products to content creators and social media influencers to review on their websites or social media platforms. Identification tokens that can be used to gain control over accounts were stolen in the Octoly data breach – making it possible to hold accounts to ransom.  

credential cracking

What Are The Effects of Compromised Account Details?

Once compromised, automated bots use the credentials and variations of the password to gain access to the owner’s other accounts; shopping, personal banking, gambling, personal email, fashion buying, personal productivity services (DropBox, OneNote etc.)  insurance accounts, gaming, media streaming, corporate accounts (Salesforce, Office365, SAP, WordPress etc.) the list goes on.

From there, monetisation activities are performed; verified compromised accounts are sold on the dark web or are used to place fraudulent orders, empty the account balance, gain access to corporate infrastructure & IP, again, the list goes on.

Like most stealth attacks, the breach can go unknown while the bounty from the attack is exploited. There is no telling as to the extent of further data breaches since the initial obtaining of the credentials. Especially considering the amount of bot based web traffic simultaneously performing automated credential stuffing actions on thousands of sites, often unknown to the website or application service owners.

The Butterfly Effect

If your website has a login page, the most precautious approach to security is to assume malicious bots will be constantly probing it, often with details that work on other sites.

Mark Zuckerberg used the same password for his Twitter and Pinterest accounts ‘dadada’ which were hacked by a group called ‘OurMine’. They didn’t post anything damaging, but if a cyber criminal had hacked his accounts, the results could have been financially and reputationally ruinous instead of just embarrassing. Tests show it would have taken just 25 seconds to crack that password as it was so simple.

What Does Account Takeover Mean to an Organisation?

Like Mark Zuckerberg, people often share the same password, or variations of it, across multiple accounts. Therefore, your customers could be subject to account takeover, leaving you to pick up the bill on a huge range of activities.

  • Fraudulent orders being made from customer accounts – the customer wants a refund and your stock is now in the hands of a criminal.
  • The emptying of high net worth accounts – gaming and gambling accounts can be drained and funds transferred to organised crime rings.
  • Illegal redemption of loyalty points – eCommerce accounts can be abused and loyalty points redeemed in exchange for products.

While you are not responsible for a breach on a 3rd party site, account takeover can damage brand reputation, impact bottom line profits and ultimately leave you with a new breach of your own to manage.

How Big is The Account Takeover Problem?

Account takeover is a growing problem space in 2017, with over 3.3 billion user accounts compromised in 2016 and sold online. These several billion credentials are then sold on to tens of thousands of cyber criminals around the world who programme bots to automatically enter thousands of web login forms in real time.

Over half of the worlds’ web traffic is automated, of which much is of malicious nature. 30 - 35% of all web traffic is automated cyber threats.

Automation: The Security Killer

Nine out of 10 login attempts can be sourced to credential stuffing bots. These automated bots can fire millions of requests at a website and bypass traditional security controls such as IP rate limits and blacklists with a simple use of proxy lists.

This huge increase in traffic consumes bandwidth (which the platform owner is paying for) and can slow a website down – directly impacting the customer journey of humans trying to use the website. Credential stuffing can also mask other bot activities on the website and make automated traffic harder to track.


account takeover

Two thirds of attacks come from new IP addresses every day, with single attacks utilising tens of thousands of IP addresses. Reactive blacklists cannot compete with this level of automation and bots can bypass traditional rate limiting technologies such as a WAF.

CAPTCHA isn’t the bot defence once hoped for because hackers can use Optical Character Recognition (OCR) software to solve the challenges CAPTCHA presents in the same way a human user would. It has become an inevitability that every targeted website will be hacked if they don’t employ specialist Bot Detection software as a part of a multi layered security strategy.

These attacks happen globally, with an attack on the Central Bank of Bangladesh costing $81 million when hackers gained access to one of their employees SWIFT account. A year later in 2017, it was found that 198 million voter records were exposed, which, like Octoly, had been hosted on an Amazon S3 Server. With the personal data of a decades’ worth of confidential data available for anyone to find, this could have led to financial loss and even identity theft of the victims.

Protect Your Business From Account Takeovers

There are several preventative steps you should take.

The first and foremost to protect your customer accounts, your infrastructure and business, is to encourage or enforce regular password rotation. Ensuring your customer accounts have regular password updates and educating customers not to use the same password on other websites can help reduce the attack vector for previously compromised credentials to be used to gain illegitimate access.

Together with the above employ a multi-layered security strategy, selecting best-in-breed solutions such as WAFs and DDoS protection to prevent against brute force attacks designed to disrupt your web service availability.

As cyber criminals identified and exploited new vectors into your customer accounts and infrastructure, the luxury of a dedicated bot management solution has become the top priority for every security officer responsible for understanding web visits.

TrafficDefender is industry leading software that is proven to stop bot attacks. TrafficDefender enables businesses to accurately identify different types of automated traffic and implement an effective bot management process.

While it is a widespread solution to prevent business-disrupting bots such as price scrappers, content stealers, ad-fraud bots, the most common projects we are delivering is to secure websites and applications from the cyber threats presented by malicious bots.

To optimise web traffic it is imperative to have full visibility and control over both malicious and revenue generating bots. With various bots hitting your site from scalpers, spinners, spammers and bulk and targeted attacks that are growing in sophistication every day, a standard web security solution will not protect you. We minimise the chance of attacks without blocking all automated traffic.

Data breaches and account takeovers are fuelling a trillion-pound cyber crime industry and they are making their money by stealing from people like you.

Trafficdefender bot

TrafficDefender Bot Detection uses machine learning to analyse every web request in real-time. It analyses actual behaviour patterns and predictive intent to give a more holistic, secure layer. This enables customers to identify bot behaviour and stop bots that would typically bypass signature based approaches.

Our shared intelligence database is continuously updated, leveraging data collected from billions of requests to recognise new threats. As soon as cyber criminals evolve their bots for a new form of attack, we protect against it.

To find out how TrafficDefender can protect your website from malicious traffic sign up for a free demo today.