Are Compromised Credentials Being Used on Your Website?
Published: 21/08/2018

Are Compromised Credentials Being Used on Your Website?

  • Netacea, Agentless Bot Management

4 minutes read

Compromised credentials – can someone use them on your website?

Probably. It’s reported in the news almost every day another company has been breached and more leaked user compromised credentials are apparent. With breaches occurring so frequently a potential account takeover attack on your site or application has never been higher.

Why? Someone else’s stolen credentials data breach is your problem.

When there is a reported data leak or account credentials are compromised, usernames and passwords become available to purchase on the dark web or released as a publicly posted list of compromised credentials databases. With every new breach, the dark web comes alive with a frenzy of hidden activity. Hackers and fraudsters scramble to validate combinations against other websites by using sophisticated automation technologies to test credentials, either on mass, across thousands of websites, or extremely targeted against specific online services and eCommerce platforms, leading to compromised customer credentials in your business.

This is becoming even easier to do particularly due to the rise in sophistication of cracking tools to automate the attacks with little knowledge of traditional hacking techniques required, plus, the widespread customers reusing the same password across multiple sites.

How cybercriminals use compromised credentials

Account TakeOver (ATO) is a form of fraud where a bad actor(s) will attempt to compromise the integrity of a real users account, often leveraging compromised account credentials sourced from the dark web to gain something of value.

Forrester estimates account takeover costs $7 billion in annual losses in just the financial services and insurance markets. This excludes retail where we see account takeover attacks costing some of our clients as much as 2.5% of their annual revenue. Others have also reported on this alarming rise in data breaches and ATO. reported a 45% increase in ATO in only the second quarter of last year while Forter also found ATO growth to be nearly 35% for the first two quarters of 2018 and Javelin Strategy & Research reported the tripling of ATO loses to organisations. On top of the financial loss is also the damage to customers’ faith in their online services.

While ATO can affect everything from an email service to a bank account, in the eCommerce market we have seen a huge rise in our customers coming to us to specifically help with cybercriminals performing ATO to access stored payment information and Loyalty Point abuse.

We continue to help prevent theft of banking or credit card information, placing fraudulent orders, theft of personally identifiable information for use elsewhere … the list goes on; however, the illegal redemption of loyalty point has become a costly and time-consuming problem for many retailers.

With such high gains to be made it is no wonder attackers don’t conduct account takeover attacks randomly. Cybercriminals know who, what, when, where and why they’re executing an attack. Our customers see up to nine out of every 10 login attempts on web and mobile being attributed to credential cracking attacks via mass automated login attempt

IT security professionals are fully aware that attackers are becoming more sophisticated, distributed and automated with each passing day. Cybercriminals have the tools needed and will silently test themselves and their kitbag against your website or web application over and over to establish benchmarks against your security measures and to ensure they avoid detection when performing the real account takeovers. But how do you protect from this?

Netacea – the world’s most advanced bot management solution

Radically different from other ‘black box’ solutions, Netacea is an agile and intelligent new layer of security that adapts to changing threats.

The Netacea layer of protection should be your first line of defence. It complements existing controls, such as WAF rulesets, rate limiting and threat databases.

It provides a deep, actionable analysis of all internet traffic, web reconnaissance, automated bots and legitimate website visitors and manages those journeys accordingly in real-time.

Learn more about our adaptive machine-learning approach and sign up for a Credential Stuffing Trial, where you can access the Netacea Credential Stuffing Solution and test it on your live site detecting compromised credentials.

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.


By registering, you confirm that you agree to Netacea's privacy policy.