New Data Reveals Public Breaches Spur 300 Percent Increase in Account Takeover Attempts

Distil Research Labs releases data uncovering the anatomy of account takeover attacks

SAN FRANCISCO, May 01, 2018 (GLOBE NEWSWIRE) -- Distil Networks, the global leader in bot mitigation, today released The 2018 Anatomy of Account Takeover Attacks Report, based on data from 600 domains that include login pages. The study revealed that all monitored login pages were hit with bad bot traffic, indicating that every website with a login page faces Account Takeover (ATO) attempts.

Hackers and fraudsters use bots to execute ATO attacks for a variety of nefarious purposes. They can validate sets of login credentials, gain access to credit card data, and sell personally identifiable information on the dark web. They can also use stolen account data to transfer money, purchase goods, or spread a specific political agenda.

In researching for the 2018 Bad Bot Report, Distil Networks found that bad bots appeared on every website with login pages. Login pages are among the most abused by hackers and fraudsters. The Anatomy of Account Takeover Attacks Report analyzes patterns found in ATO attacks, names the most popular tools used to commit these attacks,  and categorizes the three main types of ATO bot attack profiles. The report explains the contrasts between simple, moderate and sophisticated attacks, and provides defenders with advice on how to detect and prevent each type of attack.

Key Findings Include:

  • Bot operators are evenly split in how they carry out ATO attacks. Fifty percent of ATO attacks come in the form of volumetric credential stuffing, where bad bot requests are easily identifiable and attempted in bursts, typically looking like a spike of requests above the baseline. The other half of ATO attacks are through low and slow credential stuffing and credential cracking, identified by consistent, continuous login requests that bad bots run 24x7, often flying under the radar due to its slow pace.
  • After the credentials from a data breach have been made publicly available, websites experience a 300 percent increase in volumetric attacks. In the days following a public breach, websites experience 3X more credential stuffing attacks than the average of 2-3 attacks per month. 
  • Almost 20 percent of all analyzed attacks were preceded by a smaller scale “test round” a few days prior. Some perpetrators test their bad bots a few days before a large scale account takeover attack. While such tests are smaller in scale, any baseline anomaly from failed logins should be investigated.
  • Websites are most likely to experience ATO attacks on a Friday or Saturday. Thirty-nine percent of volumetric ATO attacks occur on a Friday or Saturday. This indicates that bot operators schedule attacks when it is presumed that fewer security professionals will be around to notice anomalies.

“Every time a breach comes to light and consumer credentials are exposed, any business with a login page should prepare themselves for a swell of volumetric credential stuffing attacks,” said Anna Westelius, senior director of security research at Distil Networks. “While bot operators may be purposeful in their strategy of carrying out ATO attacks, this data also renders them predictable. Organizations must educate themselves in order to identify the warnings signs, and be prepared for times when an attacker may strike.”

The findings come from the recently launched Distil Research Lab, a team of dedicated analysts who examine the most sophisticated automated threats for some of the world’s most attacked websites.

To download a full copy of The Anatomy of Account Takeover Attacks Report, visit:

To view The Anatomy of Account Takeover Attacks infographic, visit:

About Distil Networks
Distil Networks, the global leader in bot mitigation, protects websites, mobile apps, and APIs from automated threats. Fraudsters, hackers, and competitors use bots to commit online fraud, break into customer accounts, and gain an unfair competitive advantage. As the sheer volume, sophistication, and business damage of these attacks grow, bots put a costly strain on IT staff and resources. Only Distil’s unique, more holistic approach provides the vigilant service, superior technology, and industry expertise needed for full visibility and control over this abusive traffic. The Distil team pioneered bot mitigation in 2011, and has been leading the way ever since. With Distil, there is finally a defense against automated attacks that is as adaptable and vigilant as the threat itself.

For more information on Distil, visit or follow @DISTIL on Twitter.

Media Contact
Lauren Hillman
Offleash for Distil Networks
P: 510-394-2145