You log in to your loyalty account to cash in a year’s worth of points—only to find them wiped clean. No redemptions in your history, no trace of your perks. This isn’t a UX glitch—it’s account takeover (ATO), and it’s not personal.
The cybercrime ecosystem isn’t just a place where criminals discuss how to profit off of hacking consumer accounts—it’s a supply chain in its own right.
Account takeover has become a thriving underground economy—and for retail and hospitality brands, failing to stop it can mean millions lost in point reimbursements, support costs, and long-term customer trust.
The Scale of ATO
According to Flare’s 2024 Account and Session Takeover Economy report, the global infostealer ecosystem is fueling a surge in ATO attacks with an average annual growth of 28% in exposed credentials. Many of these logs include active session cookies, meaning attackers can bypass traditional authentication entirely.
This supply chain typically includes:
- Initial Access Brokers selling infostealer logs and session cookies for $5–$20
- Fraud guides tailored for specific retail platforms and loyalty systems
- Automation tools for replaying stolen credentials at scale
- Buyers who redeem points, cash out gift cards, or resell access on Telegram, forums, and marketplaces.do
In other words, your customer accounts—whether loyalty programs, online ordering portals, or booking platforms—aren’t just vulnerable, they’re monetizable.
Why This Matters to Security Teams in Retail & Hospitality
Retail and hospitality brands thrive on convenience, loyalty, and trust—all of which rely on seamless digital account experiences. Unfortunately, these same qualities make them soft targets:
- Loyalty programs often lack MFA and contain valuable, cash-equivalent points.
- E-commerce platforms store saved payment methods, addresses, and preferences—perfect for fraud.
- Session hijacking is especially dangerous as traditional defenses like password resets and MFA challenges often don’t apply—once a session token is stolen, it can be reused undetected unless proactively monitored.
The result? Lost revenue, massive customer support overhead, and reputational damage that’s hard to fix.
Four Key Recommendations from Flare to Protect Your Customer’s Accounts
To break the chain and defend your customers, Flare recommends a layered, proactive approach:
1. Set Reasonable Cookie Durations
Long-lived session tokens increase the risk window for attackers using stolen cookies. Shorten cookie lifespans and require re-authentication for high-value actions like:
- Point redemptions
- Gift card purchases
- Booking finalization
2. Monitor for Exposed Sessions
Use solutions like Flare to ingest stealer logs and detect exposed credentials and session tokens before abuse occurs. This allows your security team to:
- Preemptively invalidate sessions
- Notify affected users
- Investigate unusual login patterns
3. Track Threat Actor TTPs on the Dark Web
The dark web is where ATO playbooks are exchanged, sold, and refined. Continuously monitor for:
- Fraud guides targeting your platform
- Mentions of your brand in stealer logs
- Automation tools aimed at your login endpoints
This intelligence can directly inform your fraud detection rules, rate-limiting thresholds, and bot mitigation strategies.
4. Enforce MFA on High-Risk Accounts
Even if full-site MFA adoption isn’t feasible, enforce adaptive MFA on:
- Accounts with stored payment methods
- Loyalty balances over a certain threshold
- Previously compromised users
The ATO economy isn’t slowing down—it’s scaling. Monitoring session exposure, tuning cookie lifecycles, tracking adversary tactics, and applying friction where it counts can drastically reduce your risk profile—without sacrificing your customer’s experience.
About Flare
Flare is the leader in Threat Exposure Management, helping organizations of all sizes detect high-risk exposures found on the clear and dark web. Combining the industry’s best cybercrime database with a ridiculously intuitive user experience, Flare enables customers to reclaim the information advantage and get ahead of threat actors. For more information, visit https://flare.io.
