What is account takeover (ATO), and how do attacks work?

Account takeover occurs when cybercriminals gain access to user accounts with stolen credentials. But how do bad actors get those credentials?

The answer: credential stuffing. It has a low barrier to entry, a high cost to businesses, and some nasty repercussions for people’s lives. Credential stuffing uses automation to test stolen usernames and passwords to break into hundreds or thousands of websites at a time.

Fraudsters take advantage of the fact that many people reuse the same username (or email address) and password combination across different platforms, everything from banking accounts to subscription services. After attackers have broken into an account and obtained information, they’ll do one of the following things:

  • Sell the information
  • Sell the related rewards or loyalty points
  • Hack into other accounts that are use the same credentials, then sell that info
  • Take linked payment methods or credit cards to make purchases unrelated to the initial attack
  • Do more recon to gather additional personal information

At Kasada, we observe credential stuffing attacks take the form of waves. A recent example we detected and defeated for a retailer looked like this:

Wave One — Standard tooling: a surge in traffic using a worldwide proxy network and browser session hijacking.

Wave Two — First retooling: a full-force attack using localized residential IPs and clean browser sessions.

Wave Three — Second retooling: a slower attack, using the same tools as Wave Two but starting in the morning to mimic real human traffic.

What’s the impact of account takeover on your business?

From your revenue to your customer experience to your very brand itself, credential stuffing attacks have a range of harmful effects:

  • Increased fraud claims and costs
  • High password authentication and other infrastructure costs
  • Potential for expensive regulatory fines
  • Loss of customer loyalty (and customers themselves)
  • Damage to your reputation and brand equity


Account takeover (ATO) fraud climbed 378% over the past 3 years.

Why is Kasada effective for stopping ATO?

Kasada looks for immutable evidence of automation from the very first request, instead of relying on contextual data from the past which takes time and ongoing maintenance. Our approach stops malicious login requests from ever entering your infrastructure where damage can be done. Whereas traditional tools simply take too long to make their decision and get tricked when bots hide behind residential proxy networks.

Kasada makes bots, not humans, do the work, by cleverly deterring synthetic traffic with a proof-of-work challenge that makes it arduous and expensive for bots to continue their attacks, while remaining imperceptible to (and requiring no action by humans). This makes brute force methods such as credential stuffing impractical to conduct at scale.

The level of visibility that Kasada provides into application traffic is critical to identifying and isolating attack traffic. Using this visibility, we can create highly accurate indicators of compromise (IOCs) to share with our customers, making sure that if this group visits any of their applications, they’ll be able to monitor them closely and block attacks like this one.

Want to learn more?

Beat the bots without bothering your customers — see how.