Authomize Research on Post-Holiday Account Takeovers

26/01/2023 • Gabriel Avner

In the fight against cyber criminals, security professionals can at times put too much of an emphasis on the cyber part of this equation.

On the whole, our industry has gotten pretty good at detecting indicators of compromise, malware, and plenty of other risks and threats facing our organizations.

And yet, sometimes we need to take a step back away from the keyboard, touch some grass, and think about the criminals that are behind the attacks.

Despite the advances in AI (keep an eye out for mailboxes full of ChatGPT-generated phishing emails), the malcontents on the other side of that social engineering campaign are people.

If we want to get better at keeping their sticky fingers off of our precious data, then we need to understand their behavior better. What are their motivations (almost always money with the lulz being of a bygone era)? And why do they come at us the way that they do?

New research out of Authomize’s security research team sheds light on recent account takeover attempts, leading us to draw a few conclusions about what it means.

Back to the Office, Back to Doing Dirt 

With the winter holiday season behind us, our researchers were ready to dig back in, getting back to business after the lull.

What they found was that the hackers were also already hard at work, refreshed after some quality time away. 

In the days following the return to work after the break, we noticed a massive spike in the number of malicious login attempts targeting our customers.

Spike in number of failed logins month view

Failed login attempts Dec 11, 2022 – Jan 11, 2023

Measured in Days

Compared with the average failed logins, say over three months, this spike was definitely out of the ordinary.


Failed logins over 3 months

Failed login attempts Aug 29, 2022 – Jan 11, 2023 

Measured in Weeks

Especially given how the number of folks who were actually logged in during that week.


Logins over a month

Users logged in Dec 11, 2022 – Jan 11, 2023

Measured in Days

Something was definitely up, and we had questions.

Unusual Behavior Sets Off Red Flags

For starters, usual hacker behavior is to attempt to target organizations during holidays. The 4th of July or other long weekends when American companies take time off are classic times for hacking crews to cause mayhem.

And it makes sense. 

There are fewer folks around to notice that something might be wrong and security teams are on skeleton crews/pager duty, making it harder to respond effectively. 

As we see from our month of failed login attempts chart, there was a slight bump over the holiday break. But it does not hold a candle to what we once folks have come back to work.

So what gives?

From the best we can tell, we can propose three theories about what is going on here:

  1. Slip in Undercover

    Since the hackers were trying to pose as legitimate employees logging back into their systems, they may have wanted to avoid detection tools that would have easily picked up on the spike during the break.

    This means that they likely tried to hide under the cover of legitimate traffic of regular logins.

  2. Bots Gone Wild

    Something likely went wrong for our hackers. Instead of flying in under the radar, they were like a bull in a china shop. 

    Having scraped creds off of whatever forums and leaks that may have exposed bits and pieces of data like email addresses, passwords, and/or associated services, they sent their bots into overdrive in their attempt to breach their targets. In our research here, the vast majority of targeted accounts appeared in the “Collection #1” data leak.

    While a little bit of brute force never hurt, in this case it shot up red flares that could not be missed.

  3. Criminals Need Vacation Too

    Given the advantages of hitting their targets over the break, why did they choose to come at them later?

    The likeliest answer here is that they were on vacation too, taking some quality time off with family and friends for winter holidays.

    It is similar to how there is often a lull in attacks over the summer when the hacking crews take a few weeks off to recharge on the shores of the Black Sea. After all, what good are ill-gotten gains if you cannot enjoy them?

Until we have a chance to sit down with the hackers for a post-mortem on this campaign, these theories will remain assumptions.

What is certain though is that attackers will continue to attempt to take over accounts using stolen credential information.

Varieties of Account Takeover Attacks

In their fantastically written Data Breach Investigations Report for 2022, the team over at Verizon found that over 40% of breaches were the result of stolen credentials, topping the list by far.

Credentials often find themselves in the wrong hands after a breach that targeted credentials, ending up on hacker forums for sale, or just to cause damage. If you want to see if any of your credentials may be floating around online, jump over to the fabulous Have I Been Pwned site for a minute, and change your passwords if you have been impacted.  

The three most common methods of using stolen creds are as follows:

  1. Credential Stuffing 

    Here attackers know the user details plus the password pairs (often taken in a leak) and they throw them at a bunch of services (SaaS app, etc…) to see if any of them are valid there. Common apps and services are particularly vulnerable to these attacks.

  2. Password Spraying

    The attacker has prior knowledge of passwords that are likely to be in use and targets a specific service. They guess potential usernames and use the known password set in the hope of hitting a successful login.

  3. Brute Force

    The attacker knows a targeted username in a specific service and just starts guessing passwords. Dictionary attacks are pretty common here, making it even more important to create random passwords.

More often than not, attackers use a combination of these practices, throwing spaghetti at the wall until they hit paydirt.



In the event that an identity is compromised, hackers can build on their initial foothold within the targeted organization to reach more sensitive data and systems. 

Common tactics include:

  • Lateral movement
  • Privilege escalation
  • Gaining persistence

Given these threats to the identity, organizations need to take proactive steps to protect themselves from identity-based attacks that use compromised credentials.

How Can Identity Threat Detection and Response Protect Against Account Takeover Attacks? 

Once we take the realistic approach of assuming that attackers have probably breached our organization, we need to consider how to mitigate our overall risk and limit their ability to cause damage.

A new security discipline defined by Gartner, Identity Threat Detection and Response (ITDR) gives organizations the tools to protect their identity and access management (IAM) infrastructure. 

Authomize’s agentless ITDR Platform enables organizations to:

  • Eliminate their Identity Security Posture Risks with Just Enough Access Everywhere
  • Detect Active Threats Across Clouds (IaaS & SaaS) and IAM Infrastructure
  • Respond Effectively and In-line with Security Operations
  • Accelerate Investigation and Prioritize By Context

To learn more about Authomize and ITDR, request a complementary copy of Gartner’s “Enhance Your Cyberattack Preparedness With Identity Threat Detection and Response report.

Next read

Solution Brief

Learn how Authomize's solution is changing the way companies are managing authorizations