Response Processors: Login Processor: Incident - Site Login Multiple IP
Complexity: Informational (0.0)
Default Response: 3x = Site Login User Sharing
Cause: The login processor is designed to protect the login dialog of the website. It works by monitoring all login attempts and identifying suspicious and malicious events. This specific incident is triggered when multiple clients successfully log into the same account. Depending on the nature of the protected site, this may be perfectly acceptable behavior, however on some sites this type of behavior can indicate abuse. This incident alone is not considered malicious, but is used to perform additional analysis and potentially promote the event as a malicious incident if an abusive pattern is identified.
Behavior: Many web sites provide a way for users to authenticate so that their experience and data can be customized specifically for them. In the case of this incident, credentials for one of those accounts have been distributed to multiple clients and two or more of those clients are logging into the account. Unless the web site expects users to share credentials, this would generally indicate a situation where the credentials for an account have been compromised and the account has been hijacked. Additional follow up may be required to recover the account (such as changing the password or locking the account until the actual owner contacts the administrators to resolve the issue).
