Everyone has cybersecurity stories involving family members. Here’s a relatively common one. The conversation usually goes something like this:
“The strangest thing happened to my streaming account. I got locked out of my account, so I had to change my password. When I logged back in, all my shows were gone. Everything was in Spanish and there were all these Spanish shows I’ve never seen before. Isn’t that weird?”
This is an example of an account takeover attack on a customer account. Typically what happens is that a streaming account is compromised, probably due to a weak and reused password, and access is resold as part of a common digital black market product, often advertised as something like “LIFETIME STREAMING SERVICE ACCOUNT – $4 USD.”
In the grand scheme of things, this is a relatively mild inconvenience for most customers. You can reset your credentials with a much stronger password, call your bank to issue a new credit card and be back to binge-watching The Crown in short order.
But what happens when similar incidents occur thousands of times daily across the world’s most popular web applications?
The Hidden Scale of Account Takeovers (ATO)
Flare’s recent report, The Account and Session Takeover Economy, reveals just how widespread and costly this issue has become. Industries like e-commerce, gaming, productivity SaaS, and streaming are particularly hard-hit, each seeing over 100,000 newly exposed accounts per month.
The report found a median account takeover exposure rate of 1.4% among platforms ranging from 5 million to 300 million users. Of particular concern is the rise in session hijacking—a technique that allows attackers to bypass multi-factor authentication (MFA) by stealing session cookies, often via infostealer malware.
Returning to the streaming example, it’s likely that the attacker didn’t even need to log in with a password. With an active session token in hand, they simply injected it into a browser using an anti-detect tool and gained full access—without triggering alerts or MFA challenges.
A major entertainment or e-commerce platform with millions of users—Netflix, Epic Games, or Wayfair—can conservatively expect thousands of customer accounts to be vulnerable to takeover at any given time.
 |
| Average New Exposed Accounts (Monthly) – Scaled View from Flare’s The Account and Session Takeover Economy Report |
What’s the Real Cost of an ATO
The economic toll of ATOs is difficult to fully quantify, but Flare’s report breaks it down into three major categories: labor, fraud, and customer churn.
Let’s revisit the streaming example from earlier. Some users may chalk the issue up to bad luck and stick around for the next season of Stranger Things. Others, however, may cancel out of frustration—especially when they’ve already had to reset passwords, deal with credit card issues, or simply feel their trust has been violated. A 2023 report from fraud prevention company Sift found that 73% of users believe the brand—not the user—is responsible for preventing ATOs.
We’ve used streaming as an example in this article because of their cultural significance in global entertainment, but we don’t make any assumptions about their security posture, breach history, or business practices.
To understand the potential business impact, consider a fictional entertainment streaming service. If there are 100 million paying customers at $120 per year…
- If 0.5% of accounts are taken over—about one-third of the median exposure rate—that’s 500,000 affected users.
- If even 20% of those users churn, the company stands to lose $12 million in annual revenue.
- In a worst-case scenario where 73% walk away, the loss grows to $44 million.
This is all very rough “back of napkin” math but it provides a starting point for quantifying the financial risks associated with ATOs.
Remember, this is just a churn risk. Fraud-related losses are a separate discussion entirely! Now extrapolate this challenge across the hundreds of web applications that service millions of daily users.
 |
| Cost of ATOs & Fraud Mechanism Per Industry |
Recommendations for ATO Prevention
1. Monitor the Infostealer Ecosystem
While ransomware grabs headlines, infostealer malware is fueling the majority of credential-based attacks. Flare’s data shows a 26% year-over-year increase in exposures involving stolen credentials and session cookies.
According to Verizon’s 2025 Data Breach Investigations Report (DBIR), 88% of basic web app attacks involve stolen credentials, demonstrating how central infostealers are to modern account takeover operations.
2. Detect and Remediate Exposed Accounts
Organizations can dramatically reduce ATO risk by combining real-time infostealer intelligence with their identity and access management systems. This enables the detection and remediation of accounts that have been compromised—especially those with valid session cookies, which allow attackers to bypass authentication entirely.
Proactive monitoring and auto-remediation can prevent account abuse before it impacts customer experience or bottom-line metrics.
3. Communicate a Security-First Approach
Introducing friction—like forced password resets—can feel risky for customer experience. But most users expect companies to not only protect their data but also communicate any issues.
Also from Sift’s report- only 43% of ATO victims were notified by their company that their account had been compromised. Customers who experience this fraud but aren’t notified may feel like the company is not aware of account takeovers or have steps to help them out.
By clearly communicating the purpose behind these measures, organizations can reframe proactive security as a value-added feature. Transparency around ATO risks helps customers feel safer—and more loyal—over time.
About the Author: Nick Ascoli is the Director of Product Strategy at Flare and an experienced threat researcher who is recognized for his expertise in data leaks, reconnaissance, and detection engineering. Nick is an active member of the cybersecurity community contributing to open-source projects, regularly appearing on podcasts (Cyberwire, Simply Cyber, etc.) and speaking at conferences (GrrCON, B-Sides, DEFCON Villages, SANS, etc.)
