According to a Thomson Reuters and Feedzai white paper on preventing account takeover, "three-quarters of U.S. adults have experienced at least one instance of identity theft — fraudulent activity using a person's credentials without their permission or knowledge — and 27% have said they've experienced it more than once." With fraud losses reaching “$10 billion in losses in the U.S.” in 2023 alone, and “global level, fraud losses in 2023 are projected to be more than $485 billion."
Account takeover attacks have become damaging in cloud-based SaaS environments. According to The Hacker News, these attacks continue to succeed regardless of investments in traditional security measures, primarily because the browser itself has become the place where these attacks take place.
In February 2024 UnitedHealth Group's tech subsidiary Change Healthcare fell victim to a ransomware attack. According to CEO Andrew Witty's testimony before the House Energy and Commerce Committee, attackers gained access using stolen login credentials to a Citrix remote access portal that lacked multi-factor authentication.
The attack disrupted claims and payment systems, hospitals, medical practices, health facilities, and pharmacies across the country for nearly a month. As of April 2024, UnitedHealth had provided more than $6.5 billion in accelerated payments and interest-free loans to healthcare providers unable to process insurance claims.
Witty revealed in his testimony that once attackers gained access through the compromised credentials, they moved laterally within the systems and exfiltrated approximately 6TB of data before deploying ransomware nine days later, fully encrypting the network. The ALPHV/BlackCat ransomware gang claimed responsibility and UnitedHealth ultimately paid a $22 million ransom in an attempt to protect patient data.
Change Healthcare's entire data center network and core services had to be completely rebuilt, thousands of laptops were replaced, credentials were rotated, and new server capacity was added.
This breach showed that even major corporations with substantial security resources can fall victim to account takeover. As Witty noted in his testimony, UnitedHealth repels an attempted intrusion every 70 seconds, thwarting more than 450,000 intrusions per year, yet a single set of compromised credentials was all it took.
Your first priority is to attempt to regain access as quickly as possible. As Shamnad Mohamed Shaffi notes in Comprehensive Digital Forensics and Risk Mitigation Strategy for Modern Enterprises, "Cyber incidents can and will happen outside of regular working hours. Be ready and available to respond to these incidents as they happen."
The Hacker News explains that account takeover attacks exploit fundamental components within the browser, including executed web pages where attackers create phishing login pages or use man-in-the-middle techniques to harvest credentials, malicious browser extensions that can access and exfiltrate sensitive data, and stored credentials that attackers aim to hijack or exfiltrate to access applications.
Warning signs that your account may be compromised include unusual login locations, rapid password reset attempts, suspicious account activity such as large or international transactions that don't align with your usual activity, being locked out of your account unexpectedly, or receiving notifications about changes you didn't make.
Once you've initiated the recovery process, you'll need to verify your identity. Most services offer multiple recovery methods, such as sending a code to your registered email address, phone number, or answering security questions. If the attacker has changed these recovery options, you may need to contact customer support directly with proof of identity, such as government-issued ID, previous transaction history, or answers to account verification questions.
Thomson Reuters and Feedzai found that "once an individual's identity is compromised, there is nothing easy about getting it back," with victims reporting "that it took them weeks or months to regain control of their accounts."
After regaining access, immediately update all recovery information. Add or update your recovery email address, phone number, and security questions. Make sure these recovery options are secure and not compromised.
Once you're back in your account, conduct a thorough investigation of what the attacker may have accessed or changed. Review your recent activity logs, which most services provide. Look for unfamiliar login locations, devices, or IP addresses. Check sent messages or posts to see if the attacker used your account to contact others or share malicious content. Examine any connected apps or third-party services that have access to your account and revoke permissions for anything you don't recognize or no longer use.
If your compromised account was used to send messages, emails, or posts, inform your contacts immediately. Attackers often use hijacked accounts to send phishing links or scam messages to your friends, family, or colleagues, leveraging the trust people have in you. As Shaffi emphasizes, "Phishing goes after the most vulnerable part of any security system, the People." Send a brief message explaining that your account was compromised and that they should disregard any suspicious messages they may have received from you. Warn them not to click on any links or download any attachments from messages sent during the compromise period.
The Hacker News highlights phishing as a primary attack method, noting that phishing attacks abuse the way browsers execute web pages. Attackers use two main approaches; creating malicious login pages or intercepting legitimate ones to capture session tokens. If you've used the same password for other services, change those immediately as well. The research notes that "Accidents happen, and employees fall for phishing scams or mistakenly expose confidential information."
An account takeover can sometimes be the first step in a broader identity theft attempt. Thomson Reuters and Feedzai reported that "2023 was a record year for organizational data breaches — more than 3,200 incidents were reported that affected more than 300 million identities." Shaffi explains that "The cyber kill chain is a series of steps that trace a cyberattack stage from the early reconnaissance stages to the exfiltration of data."
For healthcare organizations, reporting an account takeover is not just recommended, it's legally required under certain circumstances. If the compromised account resulted in unauthorized access to protected health information (PHI), you must comply with HIPAA breach notification requirements.
Under HIPAA's Breach Notification Rule, covered entities and business associates must report breaches affecting 500 or more individuals to the Department of Health and Human Services (HHS) within 60 days of discovery. These breaches must also be reported to affected individuals and, in some cases, to prominent media outlets. For breaches affecting fewer than 500 individuals, you must maintain an internal log and report them to HHS annually. The UnitedHealth breach triggered an HHS investigation into possible HIPAA violations.
Besides HIPAA compliance, document the account takeover thoroughly and report it to appropriate authorities. File a report with your local police department if financial loss occurred. Report the incident to the FBI's Internet Crime Complaint Center (IC3), especially for ransomware attacks or data exfiltration. If the compromised account was connected to your organization's network or systems, notify your IT and security teams immediately, as the breach could affect broader organizational security and trigger additional compliance obligations.
Shaffi's research on employee training notes that the objectives should be "to educate the workforce on authorized use and handling of company's information assets...help users understand how to recognize and report problems, incidents or violations." This includes being skeptical of unsolicited emails or messages requesting login credentials, keeping your software and operating systems updated, using a VPN when accessing accounts on public networks, and regularly reviewing the security settings of your important accounts.
The Hacker News stated that the browser has become an attack surface for enterprises, with account takeover attacks exemplifying the need to adapt organizational security approaches. Be cautious about which browser extensions you install, regularly review and remove extensions you no longer use, and ensure your browser is always updated to the latest version. Consider using browser security features like password managers built into modern browsers and enabling warnings for suspicious sites.
Furthermore, solutions like Paubox Inbound Email Security use generative AI to detect nuanced anomalies in sender behavior, tone, and context, protecting against phishing, ransomware, and display name spoofing attacks that traditional rule-based filters often miss.
Retain all incident logs, forensic evidence, and documentation for at least six years to meet HIPAA record retention requirements.
Yes, implement an organization-wide password reset if an administrative or privileged account is compromised
Account takeover specifically refers to attackers gaining full control and locking out legitimate users, while account compromise is broader and includes unauthorized access where the legitimate user may still retain access.