Response Processors: Login Processor: Incident - Site Login User Sharing

Complexity: Low (2.0)

Default Response: None.

Cause: The login processor is designed to protect the login dialog of the website. It works by monitoring all login attempts and identifying suspicious and malicious events. This specific incident is triggered when multiple clients successfully log into the same account. Depending on the nature of the protected site, this can be perfectly acceptable behavior, however on some sites this type of behavior can indicate abuse.

Behavior: Many websites provide a way for users to authenticate so that their experience and data can be customized specifically for them. In the case of this incident, credentials for one of those accounts have been distributed to multiple clients and two or more of those clients are logging into the account. Unless the website expects users to share credentials, this would generally indicate a situation where the credentials for an account have been compromised and the account has been hijacked. Additional follow up can be required to recover the account (such as changing the password or locking the account until the actual owner contacts the administrators to resolve the issue).