Skip to content

Trending tags

Account takeover attacks are enabled by weak passwords

Luciano Mondragon

20.08.20 4 min. read

Account takeover means that someone gets unauthorized access to your online account. Account takeover fraud can lead to online identity theft when criminals get access to the personal information stored in online accounts. With the stolen accounts and information, hackers can for example buy goods with your credit card or take loans in your name. To take over your account, hackers need your password and username.

A classic example of account takeover

Account takeover fraud is a growing problem because it’s risk-free and profitable for criminals. “If it hasn’t happened to us ourselves, we probably know someone it has happened to.” says Olli Bliss, manager of Business Development at F-Secure. Watch the video at the end of this post to hear him tell more about account takeover.

Bliss sure knows what he’s talking about. One day Bliss’ colleague had his son let him know that his Netflix account can’t be accessed. It turned out that he had used the same password he uses for his Netflix account on another of his online accounts. This other account had been part of a data breach, which he didn’t know of. Since the password was the same, somebody had been able to use it to take over his Netflix account and change the password there. “This is a classic example of what can happen when we rely on weak and recycled passwords.” says Bliss.

Credential stuffing – an automated process to break in

When an online service gets breached, hackers can access massive amounts of stolen login credentials at once. The way they use this stolen information to access accounts is a highly automated process called credential stuffing. Hackers don’t just go around typing stolen username and password combinations, they let programs do that for them. This way it’s much faster to test which passwords can be used to access the victim’s online accounts.

The stolen credentials are used on multiple sites to test if hackers can get through. And they are typically used to get access to online accounts that include credit card numbers or other payment details. Payment details and other sensitive personal information are used for online identity theft. With credential stuffing, account takeover is really nothing personal. It’s an automated criminal operation.

The only reason credential stuffing can be successfully used to access other accounts is because people reuse their passwords. Following, the way to encounter this is to have a unique password for each account. When one account is breached, the same password can’t be used to access other accounts. For example, in the case Olli Bliss told, the Netflix account would have been safe had it been accessible with a unique password. And don’t worry, you don’t have to remember all of your passwords. You can use a password manager for that. Regardless of this simple safety measure, most people reuse their passwords on multiple accounts.

Your personal information is spread across the internet

Whenever you create a profile on a new service, or make a purchase online, almost without exception you have to give out some personal information. How much and what you need to give depends on the service. Sometimes you can fill in fake information, but quite often that’s just not an option. For example, when making a purchase, you want it to be shipped to the right address and to the right person. And you need to give your actual credit card or other payment details in order to make the purchase in the first place. Service providers then store this information on their database.

We all have a lot of online accounts and most have made many purchases from multiple online stores. Following, there are numerous parties out there who have our personal information stored. Quite likely you don’t even remember all the online accounts you have created. Same goes for all the online purchases you’ve made during your lifetime. Yet data about them may still exist and be stored somewhere. What’s even more alarming is that your online accounts – old or new – can often be accessed with the same login credentials you use for more important accounts. And they are all vulnerable to data breaches. Some more than others.

How weak passwords enable account takeover

Hackers often target services that aren’t paying as much attention to security as, for example, those run by huge international corporations. And because most people tend to use the same login credentials for multiple services, the data that hackers are able to steal can be easily utilized elsewhere. This way a seemingly meaningless service getting breached can actually be a major security threat.

The point is not to breach a meaningless web service, but to steal the user login credentials from there, and then use them to access more important services. Just like in the case Olli Bliss told – the Netflix account itself wasn’t hacked, but a service that used the same password. Now, imagine the same password could be used to access, for example, PayPal. That is why account takeover fraud happens. And account takeover is just a first step on the path to online identity theft. That’s why you should pay attention to your passwords.

The common denominator with any online account is that they all need a password to be accessed. That’s the issue here. If you use the same password or only a few of them, when one of your passwords gets compromised, hackers can access other accounts with it. Following, weak passwords enable account takeover.

You can’t react to a breach you don’t know about

Even if you use unique and strong passwords, your account can still be breached. Now, imagine an account of yours was breached and hackers got your password. Would you be able to take action to secure your account? The answer is no – if you have no idea that your account was breached in the first place. That’s where F-Secure ID PROTECTION comes to the rescue.

F-Secure ID PROTECTION is a password manager with a very useful function that separates it from others. You can set it to monitor your data online, so when a service you use gets breached, you will be alarmed. This way you can change your password before hackers have time to take over your account.

Because ID PROTECTION also works as a password manager, you can generate strong and unique passwords and store them securely. It’s a super powerful tool to help stay free of account takeover and identity theft.

Luciano Mondragon

20.08.20 4 min. read



Related posts


Newsletter modal

Thank you for your interest towards F-Secure newsletter. You will shortly get an email to confirm the subscription.

Gated Content modal

Congratulations – You can now access the content by clicking the button below.