Stop Guessing — 7 Signals That Prove Your Users Are Being Hacked

Andrew — Thu, 14 May 2026 16:08:57 +0000

You wake up to a support ticket: "I didn't make this purchase." Then another. Then five more.

By the time you start investigating, the attacker has already changed the email, drained the balance, and disappeared. Account Takeover is fast, quiet, and increasingly automated.
I've spent a lot of time dealing with these cases, and the pattern is usually the same: the warning signs were there, but nobody was paying attention to them.

Here are the signals that matter most, along with practical ways to catch them.

1. Login patterns that don't make sense

Most users are predictable. They log in from the same city, the same devices, and usually around the same time each day.

So when an account suddenly shows up from another continent at 3 AM, it's probably not because the user is traveling.

What to look for in your logs:

This check isn't perfect. VPNs, mobile networks, and corporate proxies can all create false positives.

Still, impossible travel detection catches more real attacks than you'd expect, especially when combined with other signals. It's one of the simplest high-value checks you can add.

2. Failed logins that look automated

People forget their passwords all the time. But there's a big difference between someone mistyping a password a few times and a bot trying thousands of leaked credentials.

In your auth logs, automated attacks usually look like this:

Humans don't behave like this.

These patterns are a strong signal of credential stuffing: fast attempts, consistent timing, and multiple accounts targeted from the same source.

The catch is that real attackers rarely stay this simple. They rotate IPs and spread attempts across proxy networks, so per-IP rate limiting quickly loses effectiveness.

To catch this reliably, you need to look at behavior across time and traffic patterns, not just individual IPs.

3. The account suddenly changes behavior

This one is subtle, but surprisingly reliable.

A user spends months casually browsing products, then one day logs in and immediately goes to:

Settings
Change Email
Change Password

All within 90 seconds.

That's usually not normal user behavior. It's often someone who just gained access and is trying to lock the real owner out before they're noticed.

4. The device fingerprint doesn't add up

Automated tools and fake browsers usually leave small inconsistencies behind.

Maybe the browser claims to run on macOS, but the WebGL data looks like Linux. Or the session has no plugins, a suspiciously generic screen resolution, and other unusually “clean” signals.

Common red flags:

Timezone doesn't match IP location
WebGL data doesn't match the claimed OS
No browser plugins at all
Unrealistic screen resolution or color depth

None of these mean much by themselves.

But when multiple anomalies show up in the same session, it's usually a sign that something isn't right.

5. Someone is phishing your users first

Account Takeover doesn't always start with a technical exploit. Sometimes it starts with a convincing email.

A user gets a message that looks like it came from your platform:

"Suspicious login detected. Verify your account."

They click the link, enter their credentials on a fake page, and the attacker logs in normally.

Things worth watching for:

Password reset spikes you didn't expect
Support tickets about emails your team never sent
Users reporting suspicious calls or messages claiming to be from your company
Security setting changes immediately after a password reset or suspicious login

You probably won't stop phishing completely.

But you can detect what happens next. If an account resets its password, changes the email, and disables 2FA within minutes, that's usually not normal recovery behavior.

6. Transactions suddenly look different

Once attackers get access, they usually move quickly.

A user who normally makes one small purchase a month suddenly places several expensive orders within minutes. Or a new payment method gets added and all available credits are used immediately.

Patterns worth flagging:

1. Payment method changes followed by immediate purchases
2. Transaction amounts far outside the user's normal range
3. Rapid use of credits, loyalty points, or gift balances
4. Shipping address changes right before high-value orders

Legitimate user behavior is usually gradual and predictable.

Takeover activity tends to happen in short, aggressive bursts.

7. The traffic doesn't look human

Large-scale Account Takeover attacks usually run on infrastructure, not real user devices.

That often leaves patterns behind: cloud provider IPs, rotating proxy networks, automated browsers, or request timing that looks too consistent to be human.

Common signals:

Logins from data center or cloud provider IPs
IPs rotating unusually fast
Browser headers that don't look like normal user traffic
TLS fingerprints linked to automation tools
Extremely consistent request timing

None of these signals prove an attack on their own.

But together, they often point to automated traffic rather than real users.

How do you actually detect account takeover in real time?

None of these signals work well on their own. A VPN login isn't suspicious by itself. Neither is a password reset. But combine a VPN login, an immediate password change, and a new payment method within 60 seconds, and you start seeing a clear pattern.

The hard part is correlating everything in real time: login anomalies, device fingerprints, behavioral signals of account takeover, and bot patterns, across every request, without adding latency or friction for real users.

These kinds of problems are often handled well by dedicated bot protection platforms.

What's been your experience with Account Takeover? Any war stories? Drop them in the comments.

DEV Community: Andrew