Book IndexHideShow
Back to topic

Account Takeover Protection

Users at Risk

Users at Risk

View the list of user accounts that have been hacked or are at risk of being compromised. Review the details of the user accounts at risk and take appropriate action, such as advising your customers to change their passwords.

On the Account Takeover Protection dashboard, under Users under risk, click the View details links.

In this topic:

Compromised Users

Users whose login credentials have been hacked, have successfully logged in, and have been determined to have malicious intent.

We examine each login, add it to our database, and compare it to publicly available lists of leaked credentials. If a match is found, it is displayed here, enabling you to take appropriate action, such as requesting that your customer changes their password.

Compromised user logins

Displays information on suspicious logins by Source IP. Click a row to display the list of users in the Account takeovers table.

Field Description
Source IP The IP address of the suspicious login.
Country The country of origin of the source IP.
# of account takeovers The number of users hacked by the selected IP address. The list is displayed in the

Account takeovers table on the right. See more details below in Account takeovers.

IP reputation

The categorization of the source IP, based on our internal classification and assessment mechanisms.

The reputation gives an indication of the type of activity originating from that IP.

For example, comment-spammers, anonymous proxies, or Google Cloud Platform

Last seen

Time stamp of the last login attempt.
Risk level The severity of the risk. For more details, see Attack Probability in Account Takeover Protection.

Account takeovers

The users hacked by the selected IP address. User names are encrypted.

Select a Source IP in the left pane to display the list.

Field Description
Username

The encrypted user name of the compromised account.

To access the username details for the users who attempt to log in to your protected sites, you can configure Account Takeover Protection settings to display username data in cleartext. For details, see View Username Data.

Client application The client application used for the account takeover. For the full Imperva client classification list, see Client Classification.
Declared client app The client application used for the account takeover, according to the declaration in the UserAgent HTTP header of the login request. For the full Imperva client classification list, see Client Classification.
Reason The trigger for identifying that the user account was hacked. For more details, see Reasons.

Event time

Time stamp of the account takeover.

Users with leaked credentials

Users whose login credentials have been found in publicly available online databases of leaked credentials.

View the list of user names, the IP address used to log in, and the time of login.

Reasons

The activity that caused these accounts to be marked as compromised.

Reason Description
Brute force

Excessive failed login rate with multiple usernames, originating from the same device in a short period in time.

Determined by factors such as the login result ratio per device, number of usernames, and the device risk based on Imperva reputation and classification indicators.

Password brute force

Excessive failed login rate with excessive number of different passwords, originating from the same device in a short period in time.

Determined by factors such as the login result ratio per device, number of failed logins, and the device risk based on Imperva reputation and classification indicators.

Common password

Excessive failed login and number of common passwords (passwords most frequently used in dictionary attacks, e.g. 123456), originating from the same device in a short period in time.

Determined by factors such as the number of failed logins per device, password reputation, and the device risk based on Imperva reputation and classification indicators.

Common user

Excessive failed login and number of common users (e.g., admin, administrator), originating from the same device in a short period in time.

Determined by factors such as the number of failed logins per device, user reputation, and the device risk based on Imperva reputation and classification indicators.

Credential stuffing

Excessive number of successful logins, using known leaked credentials, originating from the same device in a short period in time.

Determined by factors such as the login result ratio per device, credential reputation, and the device risk based on Imperva reputation and classification indicators.

Suspicious number of users

Excessive number of users successfully logged from the same device in a short period of time.

Determined by factors such as the login result ratio per device and its risk based on Imperva reputation and classification indicators.

See also:

 

Join the Discussion