5 Ways to Identify Compromised Accounts & 5 Defensive Measures

Tips from the Expert

Rob Gurzeev

CEO and Co-Founder

Rob Gurzeev, CEO and Co-Founder of CyCognito, has led the development of offensive security solutions for both the private sector and intelligence agencies.

In my experience, here are tips that can help you better identify and prevent compromised accounts:

• Regularly audit access controls: Perform periodic reviews of account permissions and access levels, ensuring that users have only the necessary permissions for their roles. This helps prevent privilege escalation from compromised accounts.
• Implement adaptive authentication: Use machine learning algorithms to monitor user behavior and dynamically adjust authentication requirements based on risk factors. This can involve escalating to multi-factor authentication (MFA) for high-risk activities.
• Use behavioral analytics: Implement solutions that analyze user behavior patterns to detect anomalies. Sudden changes in user activity, such as accessing data at unusual times or from uncommon locations, can be flagged for further investigation.
• Enforce account hygiene policies: Educate users on maintaining account hygiene, such as regularly updating passwords, recognizing phishing attempts, and avoiding the use of personal devices for work purposes without proper security measures.
• Implement geo-fencing and IP allowlisting: Restrict account access based on geographic locations or specific IP addresses. This reduces the risk of unauthorized access from unfamiliar locations or networks.

5 Ways to Spot Compromised Accounts

There are several factors indicating that an account may be compromised.

1. Unusual activity: Unusual activity includes changes that deviate from the account holder’s typical behavior. These could be unexpected modifications in account settings, such as changes to passwords, security questions, or linked email addresses. Unauthorized transactions, such as unapproved purchases or money transfers, are also red flags, as are logins from unfamiliar devices or IP addresses.
2. Unusual outbound traffic: Unusual outbound traffic patterns might manifest as large volumes of data being transferred at unusual times, such as late at night or during periods when the account holder is typically inactive. The data might be sent to unknown or suspicious destinations, raising further concerns.
3. Failed authentication requests: Attackers often use brute force techniques, trying numerous password combinations rapidly in an attempt to gain access. A sudden surge in failed login attempts can suggest that someone is actively attempting to breach the account.
4. Network requests from unfamiliar geolocations: If login attempts or data access requests originate from countries or regions where the legitimate account holder does not typically operate, it is cause for concern. These unfamiliar locations may indicate that an unauthorized user is trying to gain access.
5. Flooded device traffic to a specific address: Attackers might use compromised devices to send substantial amounts of data to their servers or to coordinate attacks on other networks. This sudden rise in traffic directed towards a particular destination can suggest that the account is being used maliciously.

5 Defensive Measures to Prevent Compromised Accounts

Here are some of the ways users can protect themselves from account compromise.

1. Use Strong, Unique Passwords

A strong password typically includes a mix of upper and lower case letters, numbers, and special characters. Avoid using easily guessable information like names, birthdays, or common phrases. Instead, consider using a passphrase—a sequence of random words that are easy to remember but difficult to guess.

For example, a passphrase like "HorseBatteryStaple!" combines random words with special characters, making it both strong and memorable. Encourage users to use password managers to generate and store complex passwords securely. Password managers can create highly secure passwords that users don’t have to remember, as they are stored in an encrypted database.

Regularly updating passwords and avoiding the reuse of passwords across multiple accounts further enhances security.

2. Enable MFA on All Accounts

Enabling multi-factor authentication (MFA) adds an extra layer of security to accounts. With MFA, users must provide additional verification factors beyond just a password. These additional factors might include a one-time code sent to the user’s mobile device, a biometric verification like a fingerprint or facial recognition, or a hardware token like a USB security key.

Even if an attacker obtains a password, MFA significantly reduces the likelihood of unauthorized access, as they would need the second factor to successfully log in. Implementing MFA can protect against various types of attacks, including phishing and keylogging. Many online services and platforms offer MFA options.

Consider using authentication apps like Google Authenticator or Authy, which generate time-based one-time passwords (TOTP) that provide another secure layer without relying on SMS, which can be intercepted.

3. Never Click Unsolicited Links or Attachments

Phishing scams often rely on users clicking on malicious links or opening infected attachments. To avoid falling victim, be cautious with unsolicited emails, messages, or pop-ups. Verify the sender's identity before interacting with any links or attachments, even if the message appears to be from a trusted source. Hover over links to check their true destination, and avoid downloading files from unknown or suspicious sources.

Educating users about common phishing tactics can also help them recognize and avoid potential scams. Users should look out for telltale signs such as poor grammar, generic greetings, and urgent calls to action that pressure recipients to respond immediately.

4. Use Secure Connections

Enforce the use of secure, encrypted connections to access online accounts, especially when handling sensitive information. Look for "https://" in the URL and a padlock icon in the browser's address bar, indicating a secure connection. Avoid using public Wi-Fi networks for accessing important accounts, as these networks are often unsecured and can be exploited by attackers.

If users must use public Wi-Fi, consider using a virtual private network (VPN) to encrypt Internet traffic and protect data from potential eavesdroppers. Disable automatic Wi-Fi connections to prevent the device from connecting to potentially dangerous networks without the user’s knowledge. Use a mobile data network for more secure transactions if a VPN isn't available.

5. Monitor Account Activity

Regularly monitoring account activity can help users detect any unusual or unauthorized actions quickly. Many services offer account activity logs that show recent logins, transactions, or changes to account settings. Review these logs periodically to ensure all activity is legitimate.

Set up notifications and alerts to receive real-time updates about significant changes or suspicious activities. For example, users can set alerts for password changes, login attempts from new devices or locations, and large transactions.