Account takeover
Account takeover (ato) is when someone other than the owner signs in to an existing account. The credentials are usually real (bought from a breach dump, phished, or guessed through credential stuffing), so a password check alone won't catch it. What gives the attacker away is the context around the login: a device, network, or location that doesn't fit the real owner.
Rupt scores this risk on the login action.
What Rupt looks for
The headline checks that feed the score:
- New fingerprint: the login comes from a browser or device Rupt hasn't seen on this account.
- New IP: an address the user hasn't connected from recently.
- Impossible travel: the account was active somewhere else too recently for the same person to have moved between the two locations.
- Anonymizing network: the connection is hiding behind a VPN, proxy, or Tor.
No single check is damning. People buy new phones and travel. The score climbs when several line up at once: a new device on a new IP behind a VPN, far from where the account usually signs in, is a very different story from any one of those alone.
Severity and response
Rupt rolls the triggered checks into an ato risk severity from low to maximum, recorded on the evaluation. To act on it today, your policies match the underlying checks. For example, challenge when a new device and impossible travel stack up, so a genuine owner on a new laptop gets a quick verification instead of a lockout while an attacker stacking signals hits a step they can't fake. Matching a policy on the ato severity directly is coming soon.
- Need help? Contact support.
- Want to see Rupt in action? Request a demo.
- Questions? Talk to sales.
- Check out our changelog.
- Check our status page.
- LLM? Read llms.txt.