Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Response Processors: Login Processor: Incident - Site Login Multiple IP

    Complexity: Informational (0.0)

    Default Response: 3x = Site Login User Sharing

    Cause: The login processor is designed to protect the login dialog of the website. It works by monitoring all login attempts and identifying suspicious and malicious events. This specific incident is triggered when multiple clients log into the same account. Both successful and unsuccessful attempts are counted for this incident. Depending on the nature of the protected site, this might be perfectly acceptable behavior, however on some sites this type of behavior can indicate abuse. This incident alone is not considered malicious, but is used to perform additional analysis and potentially promote the event as a malicious incident if an abusive pattern is identified. Note that invalid login attempts from different subnets can also trigger this incident.

    Behavior: Many websites provide a way for users to authenticate so that their experience and data can be customized specifically for them. In the case of this incident, credentials for one of those accounts have been distributed to multiple clients and two or more of those clients are logging into the account. Unless the website expects users to share credentials, this would generally indicate a situation where the credentials for an account have been compromised and the account has been hijacked. Additional follow up might be required to recover the account (such as changing the password or locking the account until the actual owner contacts the administrators to resolve the issue).

    Published: 2015-02-04