Account Takeover

An Account Takeover (ATO) attack occurs when a malicious actor gains access to a user's account by guessing or obtaining the user's password or session token. Tools such THC-Hydra and Burp Suite are commonly used by attackers due to their capabilities to perform various types of ATO attacks. tCell protects your application by monitoring authentication events to identify and block ATO attacks. Additionally, tCell provides a list of compromised users, giving you the ability to quickly remediate.

What is it?

An ATO attack consists of a malicious actor gaining temporary or persistent access to a user’s account. There are two common types of ATO attacks: session hijacking and password attacks. A session hijacking attack occurs when a user’s application authorization tokens stored in cookies are stolen via other attack vectors, such as XSS or SQL Injection. This token is then used to gain temporary access the user’s account and perform any actions as that user. Password attacks use techniques such as character enumeration (brute-force), using dictionary words (dictionary) and lists of previously stolen credentials (credential stuffing) to gain access to a user’s account. Some of the security best practices to protect your application is to use two factor authentication and rate limiting. OWASP’s Blocking Brute Force Attacks and OWASP’s Credential Stuffing Prevention Cheat Sheet are both great resources to learn more about preventing ATO attacks.

How do malicious actors find vulnerabilities?

Most commonly, a malicious actor would use tools such as THC-Hydra and Burp Suite to perform ATO attacks. Both tools have functionality allowing them to perform credential stuffing, dictionary, and brute-force attacks.

How do I use tCell to protect my application?

tCell can detect account takeover attacks by instrumenting the application's authentication framework. It natively supports the following frameworks:


  • Spring Security 5.0.x
  • Spring Security 4.0.x

Login detection with Spring Security

The Spring Security default configuration doesn't register the handlers required for login detection. You must change your app authentication to support tCell, or use login hooks.


  • Devise
  • Authlogic

Authlogic auto-instrumentation not supported for Ruby

Authlogic HTTP Basic Authentication auto-instrumentation is not supported for Ruby. Customers who use Authlogic HTTP Basic Authentication and want Account Takeover need to use login hooks.


  • Django Auth


Passport (express)

We recommend using a supported authentication framework. If you do not use a supported framework, use the hooks package.

Login attack and session hijacking limitations

The following two limitations in Passport can be resolved by using login hooks

  • User validation data is not included in the event data for login attack detection
  • Because there is no session ID data, the session-hijacking feature does not work.

tCell allows for use of API hooks in order to receive authentication data from frameworks that are not natively supported. Please see the Development pages in the left navigation pane for detailed instrumentation instructions.

Node agent login event limitation

The Node agent's default account takeover detection, which instruments the passport-local middleware, returns only whether authentication was a success, a failure, or that it resulted in an error. It does not indicate whether the user alone is valid.

You can enhance the account takeover detection of node-based applications by calling the Node login hooks in your auth implementation with user_valid filled out. However, for precise account takeover monitoring, you should switch to custom middleware instead.


Account takeover is enabled by default in the console. To verify, in your tCell console go to Policies -> Account Takeover and ensure that all of the checkboxes on the page are checked. tCell monitors the following data points:

  • Authentication failure rates
  • Authentication attempt rates
  • Page view patterns post authentication
  • Session tokens

This data is streamed into tCell’s cloud service, which analyzes authentication histories over windows of time ranging from 10 minutes to 30 days. The data is augmented with additional information such as:

  • IP reputation
  • Geo location
  • ASN

tCell’s analytics engine then identifies attacks, including bot attacks, both distributed and individual, short lived and long running.

It will also provide you a list of compromised user accounts so you can quickly remediate. If a user’s account is compromised via a session hijacking attack, you should invalidate their session token. If the user’s account password is compromised, you should have the user change their password and disallow account access until that has been completed. tCell's analytics engine can identify attackers that can then be automatically blocked. This is done using tCell’s Suspicious Actors feature. To enable blocking, go to Policies -> Suspicious Actors and ensure that Automatic blocking of Suspicious Actors is set to either Block Suspicious Requests or Block All Traffic.

Ongoing password failures

Automatically handling misconfigured clients

Clients that always fail to log in using the same username and password are not flagged as account takeovers. A client that always fails with the same username and password is typically a misconfigured piece of software, not a deliberate attack, and does not get flagged as an account takeover attempt.