Key takeaways

• You will learn what a credential stuffing attack is
• You will learn some best practices for communicating security issues to your users

Account Takeover (ATO) is an emerging security problem where an attacker gains unauthorized access to consumer accounts online, and either re-sells them or exploits the account for financial or informational gain. The most common ATO method is one called credential stuffing, where the attacker purchases cheap lists of compromised usernames and passwords on the dark web, and runs the list on login endpoints of popular websites for successful hits. This method is usually done via botnets and across distributed IPs at scale in short time frames, and can be very successful due to the fact that many people reuse their passwords across different services. With new regulations like GDPR, we're seeing a shift in responsibility toward data owners to keep user accounts and data safe. Companies can no longer put the burden of security on the user by enforcing multi factor authentication and elaborate password schemes, and expect to stay compliant and safe from attacks. Learn the anatomy and evolution of credential stuffing attacks, and why simple IP rate limiting rules no longer work to protect users.