Everyone has a cybersecurity story that includes their families. This is relatively common. The conversation usually looks like this:
“The strangest thing happened to my streaming account. I was locked out of my account and had to change my password. When I logged in, all the shows were gone.
This is an example of an account takeover attack on a customer account. What usually happens is that streaming accounts will be compromised due to weak and reused passwords, and access will be resold as part of a popular digital black market product.
With grand plans for things, this is a relatively mild inconvenience for most customers. You can reset your credentials with a much stronger password, call the bank to issue a new credit card, and go back to monitoring the crown in short order.
But what happens when similar incidents occur thousands of times every day across the world’s most popular web applications?
The Hidden Scale of Account Acquisition (ATO)
Flare’s recent report, Account and Session Takeover Economy, reveals how extensive and expensive the issue is. Industry such as e-commerce, gaming, productivitySaas and streaming have been particularly highlighted, each looking at over 100,000 newly published accounts per month.
The report found 1.4% of account acquisition exposure rates on platforms ranging from 5 million to 300 million users. Of particular concern is the increase in session hijacking. This is a technique that allows attackers to bypass multi-factor authentication (MFA) often through Infostealer malware by stealing session cookies.
Returning to the streaming example, it is possible that the attacker didn’t even have to log in with a password. With an active session token in hand, I injected it into the browser using the anti-tect tool without triggering alerts or MFA challenges, gaining full access.
Major entertainment or e-commerce platforms with millions of users (Netflix, Epic Games, or Wayfair) can conservatively expect thousands of customer accounts to be vulnerable to acquisitions at any time.
Average New Exposure Account (Monthly) – Scaling View from Flare Accounts and Session Takeover Economy Report
What is the real cost of an ATO?
While the economic sacrifice of ATOs is difficult to fully quantify, Flare’s report breaks down into three main categories: labor, fraud and customer termination.
Let’s revisit some of the streaming examples from before. Some users may be unlucky to keep the issue in trouble and stick to it for the next unfamiliar season. However, others may cancel out of frustration, especially if they reset their password, address credit card issues, or simply feel that their trust is being breached. A 2023 report from fraud prevention company Sift found that 73% of users believe that users (not users) are responsible for preventing ATOs.
We used streaming as an example in this article for its cultural significance in global entertainment, but we do not assume security attitudes, history of violations, or business practices.
To understand the potential business impact, consider fictional entertainment streaming services. If you have 100 million paid customers for $120 a year…
If 0.5% of your account is being taken over (one third of the median exposure rate), then that is 500,000 affected users. If 20% of these users are cancelled, the company is expected to lose $12 million in annual revenue. In the worst-case scenario where 73% leave, the losses increase to $44 million.
This is all very rough “napkin back” mathematics, but it provides a starting point for quantifying the financial risks associated with ATOS.
This is simply a termination risk. Fraud related losses are a completely different argument! Here we estimate this challenge with hundreds of web applications serving millions of everyday users.
Industry-by-industry ATOS and fraud mechanism costs
ATO Prevention Recommendations
1. Monitor the Infostealer ecosystem
Ransomware grabs headlines, but Infostealer Malware promotes the majority of qualification-based attacks. Flare’s data shows an increase in exposure, including stolen eligibility and session cookies, by 26% year-on-year.
According to Verizon’s 2025 Data Breach Investigation Report (DBIR), 88% of basic web app attacks include stolen credentials, with central infosealers showing how central infosealers look to modern account takeover operations.
2. Detect and fix exposed accounts
Organizations can dramatically reduce ATO risk by combining real-time info-ceiler intelligence with identity and access management systems. This allows you to detect and repair compromised accounts, especially those using valid session cookies, allowing an attacker to bypass authentication completely.
Proactive monitoring and auto-correction can prevent account abuse before affecting customer experience or bottom line metrics.
3. Telling a security-first approach
Introducing friction, such as forced password reset, can make the customer experience dangerous. However, most users expect businesses to not only protect their data, but also communicate the issue.
Also, from Sift’s report – only 43% of ATO victims were informed by the company that their account had been compromised. Customers who have experienced this scam but have not been notified may feel that the company is not aware of the account acquisition or are taking steps to help them.
By clearly communicating the purpose behind these measures, organizations can reconfigure proactive security as a value-added feature. Transparency around ATO risk helps customers feel safer and loyal.
About the Author: Nick Ascoli is Flare’s Director of Product Strategy and an experienced threat researcher with acknowledged expertise in data leaks, reconnaissance and detection engineering. Nick is an active member of the cybersecurity community that contributes to open source projects, regularly appearing on podcasts (such as Cyberwire, simple cyber, etc.) and speaking at conferences (such as GRRCON, B-side, DEFCON Village, Sands).
Source link
