Response Processors: Login Processor: Incident - Site Login Multiple Usernames

Complexity: Suspicious (1.0)

Default Response: 3x = Site Login User Pooling

Cause: The login processor is designed to protect the login dialog of the website. It works by monitoring all login attempts and identifying suspicious and malicious events. This specific incident is triggered when a single client successfully authenticates with multiple distinct usernames. This incident alone is not considered malicious, but is used to perform additional analysis and potentially promote the event as a malicious incident if an abusive pattern is identified.

Behavior: There are two possibilities for this incident. Firstly, a single user might have signed up for multiple accounts on the protected site, and they are simply using those accounts. On some sites, this alone would be considered malicious, while on other sites, this is considered perfectly acceptable. For example, an online e-mail provider can allow its users to sign up for multiple e-mail accounts. On the other hand, a billing website for your home utility provider would probably not expect a single household to have multiple accounts. The other possibility is that a single user has hijacked several other accounts. This can be more obvious if there is also a "Site Login User Sharing" incident for the username as well. This would indicate that not only is the malicious user logging into multiple accounts, but other users are also logging into those accounts. Generally, an account should be used by a single user unless the website has specific rules about allowing users to share account details.