EUROCONTROL Strengthens Security and Cyber Awareness for the European Aviation Industry with SpyCloud’s Automated ATO Solution

The European Organisation for the Safety of Air Navigation, or EUROCONTROL, is an intergovernmental organisation working to achieve safe and seamless air traffic management across Europe. EUROCONTROL’s member states, comprehensive agreement states, and stakeholders, including navigation service providers, civil and military airspace users, and airports, work in a joint effort to make aviation in Europe safer, more efficient, more cost effective, and with a minimal environmental impact.


When EUROCONTROL created its European Air Traffic Management Computer Emergency Response Team (EATM-CERT), the team was charged with seeking opportunities to enhance the organisation’s security posture and increase cybersecurity awareness.


After an evaluation of services, the team selected SpyCloud Employee ATO Prevention as the first tool in its cybersecurity framework because they saw protecting users against account takeover (ATO) and ransomware as a high-impact opportunity.


EUROCONTROL protects its 2,000 employees and 1 million constituent accounts on 130 domains from ATO that can lead to ransomware attacks, increases cybersecurity awareness, and provides enormous value to their security program with SpyCloud.

Protecting the European Aviation Industry Against ATO and Ransomware

EUROCONTROL fulfils the European Union’s commitment to “One European Sky” as an intergovernmental agency that supports aviation in Europe by delivering technical excellence and civil-military expertise across the full spectrum of air traffic management. The organisation consists of 41 member states, two comprehensive agreement states, and aviation stakeholders, including navigation service providers, civil and military airspace users, and airports. The agency’s mission is to support operations, research, and innovation for the aviation industry across the continent.

When the European Air Traffic Management Computer Emergency Response Team (EATM-CERT) was created within EUROCONTROL in 2017, the team sought security solutions that would make a quick impact on the community by enhancing the organisation’s security framework and also promoting cybersecurity awareness with their constituents. A key criteria for potential solutions was automation, since the team was new and had limited resources available to manage new programs.

“We are there to help the community and provide something that is adding value,” said Patrick Mana, Cyber Security Program Manager and EATM-CERT Manager for EUROCONTROL. “We sought out new services that would make a difference in and help our community of member states and stakeholders.”  

The team initiated the lengthy public procurement process in which services were evaluated in an open, fair and transparent manner, with considerations during testing including whether the service was useful, impactful, and cost and resource efficient. 

One of the security challenges facing the aviation industry is “big game hunting,” in which cybercriminals target large, high-value organisations with ransomware. Aviation stakeholders, especially airlines and airports, manage a lot of personally identifiable information (PII) for passengers, which is an intriguing target for criminals as information that can be monetised.

Aviation tends to be an attractive target for cybercriminals and state-sponsored groups because it is a critical infrastructure sector for a country, and for a lot of countries they are very much dependent on aviation. It can be an important element of the economy, as well as a source of national pride. For aviation, it’s really important to be protected because we are a target for hackers with enhanced capabilities for attacks.”
Patrick Mana, Cyber Security Program Manager and EATM-CERT Manager

SpyCloud Employee ATO Prevention was selected as the first value-added service for EUROCONTROL’s EATM-CERT program because it would make an immediate, high impact on the organisation by protecting accounts from account takeover  and ransomware using insights from data recaptured from the criminal underground. 

Previously, a national cybersecurity centre would alert EUROCONTROL of any breach notices and the team would handle that on a case-by-case basis as a result of an outside alert. Now with SpyCloud, EUROCONTROL proactively monitors and manages its employee and constituents’ user accounts to ensure compromised credentials aren’t being used within internal systems. SpyCloud Employee ATO Prevention protects 2,000 EUROCONTROL employee accounts and approximately 1 million constituent accounts from 130 domains against ATO and ransomware. 

Additionally, SpyCloud created a feature to provide account views and dashboards for each individual constituent using the service. The EUROCONTROL EATM-CERT team was able to implement and manage the solution quickly and with ease, with the scalability to accommodate new constituents. 

EUROCONTROL’s mission to achieve safe air space in Europe aligns well with SpyCloud’s mission to make the internet a safer place. While EUROCONTROL uses SpyCloud to protect against ATO and ransomware, another benefit of the solution is that it helps bring awareness to everyone’s responsibility to protect their credentials and identity.

As we move toward digitalisation, people tend to be naive about digital assets. For example, they will protect their passport, but not their credentials. We’re trying to convey the message that credentials are as important as your passport. It helps people understand the world we’re living in and to behave in a more responsible way.”
Patrick Mana, Cyber Security Program Manager and EATM-CERT Manager

Offering SpyCloud Employee ATO Prevention to its constituents helps EUROCONTROL provide critical value-added services and strengthen its reputation. The agency’s success is evidenced in the addition of new constituents over time.


Protecting a Million Accounts from ATO and Ransomware

With EUROCONTROL supporting all aspects of aviation in Europe, SpyCloud’s Employee ATO Prevention protects the accounts for all EUROCONTROL constituents, including airlines, airports, and civil and military airspace users. While EUROCONTROL protects 2,000 of its own employees, the SpyCloud solution extends to its constituents, protecting approximately 1 million accounts from 130 domains from ATO. Since 2018, EUROCONTROL has been able to identify more than 300,000 vulnerable accounts and prevent potential ATO attacks.  

Further, protecting against ransomware attacks in a critical infrastructure sector such as aviation is paramount to ensure the safety of employees, passengers, military personnel, and all those involved in the European airspace. EUROCONTROL is able to use insights on malware-infected users from SpyCloud to help constituents prevent attacks that can have serious consequences.

We recently helped an aviation stakeholder identify that they had compromised systems. Our ability to identify infected users was really beneficial because their cyber capabilities didn’t detect that their system was subject to a cyber attack. It’s via the information of the compromised account from EUROCONTROL that they further investigated and they found out that their system was attacked.
Patrick Mana, Cyber Security Program Manager and EATM-CERT Manager

Bringing Value and Awareness to All Constituents

Working with SpyCloud allows EUROCONTROL to not only address security challenges, but also bring awareness to the value of security solutions by making it personal. For example, during the test phase, SpyCloud was able to show EUROCONTROL board members their personal exposure on the criminal underground. This information helped the organisation see the value and importance of investing in this type of solution.  

“The biggest benefit of working with SpyCloud is raising awareness, really opening everyone’s eyes and making a big difference with something tangible to individuals, including senior management. The beauty of it is showing that all staff in the organisation have a responsibility. Everyone is a door to enter the organisation, and each of us is a guardian of that door. It’s not the business of just the IT security team. It’s everyone’s duty to behave in a way that will contribute to enhancing the level of resilience of the organisation. Because they are aware, they are careful and they are mindful about their responsibility with regard to their credentials,” Patrick said.

Strengthening Security For Every Constituent Through Automation and Efficiency

EUROCONTROL is able to offer SpyCloud services to all of its constituents, many of which may not be able to procure such a service themselves due to challenges with the procurement process, financial constraints, or competing priorities. 

“We help the community because the more companies that are aware of this kind of service and the benefits, the more they will be open to other cyber investments. It’s a dynamic that we’re creating to enhance the level of cyber culture,” Patrick said.

With SpyCloud, EUROCONTROL and its constituents can automate activities, responses, and analysis so the teams can be more efficient and focus on other value-added projects. 

“Having a certain level of automation is important because it allows us to conduct analysis that derives indicators and signals on a dashboard. It’s super flexible, efficient and easy, so it gives our team the opportunity to spend time on other priorities rather than manual tasks related to monitoring for and remediating compromised credentials,” Patrick said.

Bolstering Penetration Testing Capabilities with Recaptured Data

Password hygiene is critical for the organisations supported by EUROCONTROL. Many workers in the aviation industry are passionate about flying, and key phrases, aeroplane types or company names tend to show up in passwords, which is to be expected based on human behaviour. EUROCONTROL not only uses SpyCloud data to produce rainbow tables for penetration testing (pen testing), but it also plans to strengthen its overall password security and pen testing by developing an artificial intelligence/machine learning (AI/ML) application to identify aviation-related passwords based on SpyCloud’s dataset.

For an AI/ML tool to work, you have to train a model and for that you need a data set. Since our users are interested in aviation, they will use passwords with aviation terms in them. That’s where the SpyCloud service is really useful because most of the time, the passwords that have leaked can be cracked and therefore we can enrich our AI model with already known aviation-related passwords.
Patrick Mana, Cyber Security Program Manager and EATM-CERT Manager

Support Regulatory Compliance Preparedness

When industry and government regulations have significant impacts for noncompliance, having a strong security framework is critical to ensure requirements are being met. For example, a EUROCONTROL constituent may find that they aren’t as prepared to meet regulatory requirements like GDPR, but having access to solutions such as SpyCloud Employee ATO Prevention through EUROCONTROL can strengthen their ability to comply.  

While there’s no regulation in place that requires organisations to investigate whether credentials are exposed, the SpyCloud solution can be part of your arsenal to demonstrate that you’re able to comply with the regulation. GDPR is tough and not everybody understands all the consequences of that immediately, so it may take a while to address the overall issue and the challenges around that regulation
Patrick Mana, Cyber Security Program Manager and EATM-CERT Manager

About SpyCloud

SpyCloud transforms recaptured data to protect businesses from cyberattacks. Our products leverage a proprietary engine that collects, curates, enriches, and analyzes data from the criminal underground, driving action so enterprises can proactively prevent account takeover and ransomware, and protect their business and consumers from online fraud. Our unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings.

SpyCloud customers include half of the 10 largest global enterprises, midsize companies, and government agencies around the world. Headquartered in Austin, Texas, SpyCloud is home to over 150 cybersecurity experts who aim to make the internet a safer place.

Download the PDF version of the case study to print or share with others.

Ecommerce Marketplace


Mobile Ecommerce Marketplace


Reduces ATO fraud and avoids $1 million in fraud losses in burgeoning Latin American market with SpyCloud

With over 27 million active users per month, this ecommerce marketplace provides a personalized and entertaining shopping experience to consumers around the world via mobile devices. As bad actors target its site and customers, the organization looked for new ways to proactively combat them.


Following a surge in fraud after high-profile data breaches in the Latin American market, the ecommerce marketplace sought innovative and effective ways to reduce account takeover (ATO) to protect consumer information and reduce financial losses due to fraud.


The marketplace chose SpyCloud Consumer ATO Prevention to detect when its consumers are using compromised credentials, so they can be reset to prevent ATO.


SpyCloud’s Consumer ATO Prevention solution has helped the company identify vulnerable accounts quickly and take action to prevent millions of ATOs. As a result, the marketplace avoided $1 million in fraud losses and enabled 2 full-time resources on the risk management team to focus on other projects.

Ecommerce Platform Sought Innovative Approach to Combat ATO

Historically, the ecommerce platform has experienced a higher fraud rate in the Latin American market, and noticed a spike in fraudulent activities and increasing losses following several high-profile data breaches that exposed credentials and sensitive data including credit card numbers. After the marketplace saw evidence of credential stuffing attempts and ATO attacks, the company sought innovative ways to protect their customers’ personal account information and their own bottom line.

For this organization, ATO impacts are two-fold: they negatively affect their brand reputation and their P&L. Accounts taken over by bad actors cause headaches for both the customer and the business, and can give the customer a perception of a lack of security on the marketplace. In addition to the potential loss of customers, fraudulent activity also causes increased chargebacks.

“ATO is one of those things that is very explicit for users who’ve been impacted. Even though financially there may not be huge impacts, it will create a scar when it comes to your trust with the customers.”
Director of Risk Management 

As the volume of ATO attacks and use of stolen credit card information increased on the platform, particularly with dormant accounts, tracking fraudulent activity proved to be a challenge for the ecommerce marketplace. While buyer behavior can offer insights into the validity of an account, the organization struggled to properly monitor suspicious account activity and transactions. 

Previous solutions that provided risk scores or signaled human versus machine behavior weren’t meeting the company’s expectations of combatting ATO. While these solutions were effective in detecting suspicious behavior, they came with a tradeoff between recall (identify as much fraud as possible with the lowest false negatives) and precision (accuracy in identifying bad actors with the lowest false positives so as not to disturb good users).

By using SpyCloud’s Consumer ATO Prevention solution, the ecommerce marketplace is able to leverage data recaptured from the criminal underground to flag users whose credentials are compromised, thus making the account vulnerable to ATO. Remediation steps include initiating challenges such as multi-factor authentication and password resets to better protect customers and their personal information. 


Reduced ATO Fraud Activity in LATAM Region by 90%

With Consumer ATO Prevention leveraging recaptured data from the criminal underground to identify accounts using compromised credentials, the ecommerce marketplace saw a 90% reduction in ATO in the Latin America region, which accounts for 50% of the company’s fraud activity in that area. As a result, the ecommerce marketplace avoided $1 million in fraud losses.

Prevented Millions of ATOs Globally

As the organization began using Consumer ATO Prevention, they found the scale of risk was much bigger than initially thought since they previously didn’t have the ability to properly benchmark ATO attacks. With the success in reducing ATO fraud activity in the LATAM region, the marketplace rolled out Consumer ATO Prevention across the entire platform to protect all user logins. SpyCloud’s solution proved to be the best balance between precision (low false positives) and recall (low false negatives).

Reduced Resources Dedicated to ATO Prevention

Before SpyCloud, the company’s risk management team was overwhelmed by work related to consumer account takeover, dedicating 2 data scientists and 1 engineer to the challenge. With SpyCloud, the company was able to reallocate 2 of these team members to other projects. Now, the team only requires a single data scientist to handle the reduced workload, and that team member still has the bandwidth to focus on other projects. Maintaining the SpyCloud API requires minimal time investment, as it runs automatically and only requires monitoring of high-level metrics.

“We value SpyCloud because not only does it help solve ATO, it also gives our team more bandwidth and allows us to provide a better customer experience.
– Director of Risk Management

About SpyCloud

SpyCloud transforms recaptured data to protect businesses from cyberattacks. Our products leverage a proprietary engine that collects, curates, enriches, and analyzes data from the criminal underground, driving action so enterprises can proactively prevent account takeover and ransomware, and protect their business and consumers from online fraud. Our unique data from breaches, malware-infected devices, and other underground sources also powers many popular dark web monitoring and identity theft protection offerings.

SpyCloud customers include half of the 10 largest global enterprises, midsize companies, and government agencies around the world. Headquartered in Austin, Texas, SpyCloud is home to over 150 cybersecurity experts who aim to make the internet a safer place.

Download the PDF version of the case study to print or share with others.




Industry: SOFTWARE

Atlassian Protects Its Enterprise And Its Customers While Saving Time With Automated ATO Prevention From SpyCloud

Atlassian’s team collaboration and productivity software helps teams organize, discuss, and complete shared work. Teams at more than 225,000 customers, across large and small organizations – including Bank of America, Redfin, NASA, Verizon, and Dropbox – use Atlassian’s project tracking, content creation and sharing, and service management products to work better together and deliver quality results on time.


Due to the increasing number of industry breaches, Atlassian sought a more efficient and proactive approach to addressing potential future incidents, without the burden of collecting, curating and validating exposed data on their own.


The company selected SpyCloud Employee ATO Prevention to proactively protect their 7,000 employees from the consequences of ATO, as well as SpyCloud Consumer ATO Prevention to detect potentially compromised customer accounts. 


Atlassian protects its employees and customers from cyberattacks with SpyCloud’s solutions, reducing resource hours spent researching Atlassian’s potential involvement in public breaches and securing its brand reputation.


Previously, Atlassian lacked visibility of the exposed credentials of their employees. Given the challenge of staying ahead of the ever-evolving threat landscape, they realized the need to proactively protect themselves against potential account takeover (ATO) attacks involving data stolen in third-party breaches. Atlassian prioritizes security and sought a reliable, scalable solution, allowing them to provide customers with the confidence that their corporate resources are secure.

Initially, Atlassian took a manual approach to addressing public third-party data breaches. For example, when an industry breach was made public, members of the security team would have to comb through the breach data to see if Atlassian was involved and would pre-process the dataset to make it actionable, then contact any impacted employees to remedy the issue. This manual process would take four or more hours per breach, and with breaches being made public seemingly every day, the team was spending too much time trying to keep up.

“We had to do everything manually before, and the whole process took a lot of time.”
Niels Heijmans, Principal Security Intelligence Analyst at Atlassian

They knew there had to be a better way and started looking into different options to help address their challenge. During their search, Atlassian evaluated vendors and found that many vendors were opaque in their data sources and collection time; it wasn’t clear where the data came from, or how old it was, or if the data set had already been actioned by Atlassian’s security team.


Transparency, the ability to quickly recapture data within days of a breach or malware infection occurring, and automated solutions made SpyCloud stand out from the competition. SpyCloud’s cyber analytics engine that transforms recaptured data from the criminal underground to make it truly actionable, coupled with its ability to recapture breached data earlier in the attack timeline, helped Atlassian solidify its decision to implement SpyCloud’s Employee ATO Prevention solution.

It took Atlassian a mere two weeks to fully automate the credential collection, verification and rotation process with SpyCloud’s API for both employees and customers, and the solution’s automation resulted in zero maintenance time. Atlassian is now alerted of any corporate credentials exposed in third-party breaches, and that notification triggers an automated ticket through their security operations center to action the issue, prompting the employee to reset their password. 

In addition to monitoring the use of exposed credentials, SpyCloud’s solutions help Atlassian identify when employees or suppliers accessing Atlassian services on personal devices are infected with malware, an incredibly difficult cyber threat to detect on devices outside of corporate control. The security team is then able to reach out to the infected user and help them remedy the issue by providing the infection source information and steps to remove the malware.

“It puts your organization at risk if a personal device is being used to log in with corporate credentials,” Niels said.

To combat this, SpyCloud offers unique data richness and transparency that goes beyond just finding compromised credentials. SpyCloud can tell you what user is infected with malware and for how long, which makes a difference in your incident response.

With the success of protecting employee accounts, Atlassian looked to fulfill their customer-focused corporate values by also protecting customer accounts with SpyCloud Consumer ATO Prevention. Many of Atlassian’s customers use their software to enable mission-critical tools, so a disruption or attack could have significant impacts, such as halting financial transactions or delaying critical medical decisions. Malicious actors gaining access to these types of business processes could have detrimental results, and Atlassian doesn’t stand for that. Protecting customers is at the core of how Atlassian operates.


Atlassian Protects Hundreds of Thousands of Corporate and Customer Accounts from ATO

Automated Solution Protects Employees and Enables Time Savings

Atlassian no longer spends hours manually processing public breaches. SpyCloud’s API allows Atlassian to quickly detect compromised credentials and remediate them automatically with SpyCloud’s fresh, actionable breach data and malware bot logs at their fingertips.

Because the solution is fully automated, we are able to process 14,000 unique credentials per month. This scalability allows us to use our resources efficiently.”

Extending ATO Prevention to Malware-Infected Users

Once Atlassian saw the results of how they were able to protect employee accounts and prevent ATO, they decided to explore how SpyCloud could help them support their corporate value to honor their customers. SpyCloud identified credentials from Atlassian users who had logged into their accounts using malware-infected personal devices. Atlassian tested 55,000 of these recovered logins against their consumer database over a three-month period and discovered that 70% matched their current Atlassian passwords. They were able to reset passwords for these users and secure their accounts. 

Today, Atlassian uses SpyCloud data to protect accounts for teams at over 225,000 customers and secure their mission-critical business processes.

Ease of Integration for Automation

Atlassian was able to easily integrate SpyCloud’s solutions into its security framework to maximize the value of its cybersecurity investments. SpyCloud’s solutions are integrated with AWS Lambdas, Jira, Splunk, and Atlassian’s security, orchestration, automation, and response (SOAR) solution to enable fully automated workflows that protect employee and customer accounts.

Icon - Products Integrations

Ongoing Support Enhances Vendor Relationship

SpyCloud’s dedicated customer success team ensures Atlassian’s satisfaction with its solutions and maintains an open communication cadence to support their needs. Whenever Atlassian requests feature updates or additional recently-recaptured data, SpyCloud’s team is quick to go the extra mile. 

“Whenever I have questions or feedback, the SpyCloud team is always willing to help,” Niels shared. 

They’re happy to have discussions about the products because we’re investing in them and finding value in them. And when I have ideas on improvements, there’s always someone from SpyCloud who will listen and help us.”

The SpyCloud Difference

Truly Actionable Recaptured Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.

Download the PDF version of the case study to print or share with others.

Fortune 100 Financial Services Company


Protecting a Fortune 100 Financial Services Company


Investigating the Global Threat Landscape



With high-value customer accounts on the line, this financial services company wanted to sharpen their account takeover prevention program to prevent more online fraud, as well as enhance their threat intelligence team’s investigations with breach data beyond what they could collect on their own. 


SpyCloud enables this firm to identify and remediate compromised consumer passwords at scale to lock out criminals. SpyCloud’s robust dataset also enriches the information the threat intelligence team can use to investigate fraud – which is important given that they typically start with only a few pieces of information.


Today, the firm protects millions of consumers around the world from account takeover fraud with SpyCloud. In their fraud investigations, SpyCloud data facilitates connections that weren’t possible before, helping the threat intel team get more out of their other data sources and deliver their findings with a higher degree of confidence. 

SpyCloud empowers enterprises against cybercrime by giving them access to the largest collection of compromised credentials and personally identifiable information (PII) in the security industry, as well as powerful tools for investigating threat actors and their personas.

One of the many large customers using the full set of SpyCloud data and research tools is a Fortune 100 financial services provider. This organization agreed to anonymously share details of their strategy for investigating and determining the credibility of threats to their consumers, employees, partners, and acquisition targets. For this security team, SpyCloud’s solutions have become key among the complex set of tools used to alert customers to threats, evaluate the risk of new business opportunities, understand the plans of cybercriminals, and hunt down fraudsters.

Threat Hunting

The financial services organization’s worldwide threat intel team uses a two-pronged approach to identifying, classifying and responding to threats. A tactical analysis team tracks the tactics, techniques, and procedures (TTPs) threat actors are using to target the organization, then determines response strategies depending on the type of threat, be it ransomware, malware, phishing, or credential stuffing.

A strategic analysis team investigates the perpetrators behind these attacks. The strategic analysis team identifies the individuals or groups who carry out attacks or share information related to the organization’s protections with other cybercriminals.

SpyCloud’s data helps these teams:

    • Protect consumer accounts from fraud by detecting and remediating exposed credentials.

    • Attribute threats to specific individuals or groups of actors and gather evidence for law enforcement.

    • Develop risk profiles on partners, vendors, and acquisition targets to protect the organization from inheriting risks through third parties.

Fraud Prevention and Investigation

Preventing fraud is the primary objective for this financial services firm, and SpyCloud helps by giving the fraud team reliable and fast access to breach data that can help prevent account takeovers. In these attacks, criminals use lists of known username and password pairs, often obtained from breaches, to attempt to log into financial accounts. Once in, they may change key account information to lock out the rightful owner and siphon funds elsewhere. Other tools and tactics are used depending on the criminals’ ultimate plan to monetize these stolen accounts – for example, some may be resold on the underground market – but stopping account takeovers in the first place is the best way to prevent financial fraud.

Among companies monitoring the dark web and cybercriminal underground, SpyCloud typically recovers, curates, and gets breach data into customers’ hands the fastest, thanks to its human intelligence-driven approach. This means customers like this Fortune 100 financial services organization can act on SpyCloud data quickly, alerting compromised customers before cybercriminals can monetize their information.

The task of protecting consumers for this organization is huge. Each day, the security team sees a massive volume of credential stuffing attacks against customer accounts. Many are low-level threats, in which attackers simply automate lists of password and username combinations to see if they manage to find a successful login. To prevent that success, the organization regularly checks their entire customer database against SpyCloud’s breach data to identify exposed credentials and force customers to reset them.

Pro Tip: Scanning your entire customer database and forcing credential resets for compromised users is a tactic SpyCloud recommends for all its customers, and the benefits extend beyond preventing fraud or providing peace of mind for security teams. Companies who proactively monitor and remediate for password exposures are more likely to retain customers. A PWC study of U.S. adults found that 87% of consumers say they will take their business elsewhere if they don’t trust that a company is handling their data responsibly. Most consumers do trust financial organizations with their data, and by being proactive in helping consumers avoid fraud, organizations can prove their commitment to responsible data handling.

Other account takeover attempts are more dangerous, carried out by motivated, adaptive threat actors who are specifically targeting the firm’s customer accounts. As the team explains, “We see actors that are very unsophisticated that just don’t care…and then we have actors who will respond within a certain time frame to a given control being introduced that specifically blocks their activity. Sometimes it’s 8 hours, sometimes it’s 24 hours, sometimes it’s a few days, but we can always tell which actors are targeting us and we notice certain patterns.”

Particularly for these targeted attacks, resetting compromised passwords quickly is essential. A consumer’s account is vulnerable the moment a new data breach exposes their login. SpyCloud’s fast access to new breach data enables the firm to shorten that exposure window by resetting exposed passwords quickly to head off this type of attack. 

Reducing Outside Risk

Today’s enterprises rely on hundreds of partners, vendors, and other third parties to deliver products and services to consumers around the world. Each outside group with access to the network presents a multitude of cybersecurity risks. This financial services organization uses SpyCloud’s investigation solution and breach data to see deeper into third parties’ overall risk profile, which is especially helpful in understanding the potential risks posed by acquisition targets.

At the beginning of an M&A process, the security team uses SpyCloud to investigate whether the target company has had any data breaches that they haven’t disclosed, whether because they have chosen not to inform the acquiring company or because they don’t know that they have been breached.

As the team investigates, the PII in SpyCloud’s database can help them identify exposed information they may not have previously known was in criminal hands. Names, addresses, phone numbers – each provides another pivot point for the investigation. The team will not only create a risk profile for the business, but will also identify the exposure of key executives and employees who may join the larger organization after the acquisition. It’s Zero Trust on an individual level.

Confidence is the Key to Intelligence Value

As a global organization serving many millions of customers and interacting with thousands of third parties, this financial services organization relies on SpyCloud as a critical part of its collection of intelligence-gathering tools. In this industry, security professionals know that confidence in the credibility of intelligence sources simplifies the difficult task of identifying threat actors, preventing their attacks from infecting consumers, and, hopefully, leading law enforcement to make arrests.

When reporting to internal stakeholders or to law enforcement, SpyCloud’s customer knows that their assessments of threats and threat actors are made with a higher degree of confidence because of the reliability and credibility of SpyCloud’s data.

The SpyCloud Difference

Truly Actionable Recaptured Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.


Download the PDF version of the case study to print or share with others.

Global Fintech Company


Global Fintech Company


SpyCloud Enabled a Global Fintech Company to Protect Thousands of Vulnerable Accounts Representing Tens of Millions of Dollars

Fintech Account Takeover Prevention Case Study - SpyCloud
Benefit #1:

Account Takeover Prevention

With SpyCloud, this company is able to combat both automated and targeted account takeover attacks against their consumers.

Scroll to Benefit 1

Benefit #2:

Automation at Scale

Using the SpyCloud API, the company has been able to automate nearly 100%, freeing up time for the security operations team.

Scroll to Benefit 2

Benefit #3:

Infected User Intervention

The company has protected thousands of accounts by intervening proactively when consumers appear in SpyCloud’s botnet data.

Scroll to Benefit 3

About the Customer

This case study covers an anonymous SpyCloud customer – a fintech platform used by merchants, consumers, and traders all over the world. The company also provides merchant payment processing systems and tools supporting some of the most highly trafficked websites. Due to the valuable and sensitive nature of its users’ information and assets, threat actors are continuously looking for ways to exploit them.

Combating Automated and Targeted Account Takeover (ATO)

With so much at stake for its business and customers, this company invests heavily in cybersecurity. It goes to great lengths to not only protect customers and employees, but also to educate them on how to protect themselves and why it matters. Despite warnings for the last several years, many consumers continue to reuse passwords across multiple websites and services. When one site is breached, threat actors apply those stolen credentials to access consumer accounts on other sites.

“We know that password reuse and compromised credentials are still the number one way that people get themselves hacked,” explained the head of the organization’s security operations team. “We’re one of the few major consumer-facing platforms that requires two-factor authentication for all of our users. But even with 2FA, a stolen or lost password is still a really bad security situation.”

The company uses SpyCloud to check users’ credentials proactively, identifying logins that appear in SpyCloud’s breach data, and taking action to secure vulnerable accounts as soon as possible after an exposure. In addition to protecting users from account takeover by locking out potential attackers, this also helps to reduce the confusion caused when users receive unexpected 2FA codes during credential stuffing attempts.

“Since starting to use SpyCloud, we’ve seen a corresponding drop in partial logins, which might happen if there’s a login attempt using a breached login combination that can’t bypass two-factor authentication, for example. But that still triggers a login notification to the user and they get confused. For us to be able to get ahead of that curve and know that we can prevent these partial login attempts in the first place adds an extra layer of defense.”

High-volume credential stuffing attacks aren’t the only concern for this organization. Given the substantial monetary value of the accounts they manage, cybercriminals are very motivated to invest time and effort into targeted, creative attacks against their customers. As a result, the company not only uses SpyCloud data to reset exposed passwords, but also to help model clients’ account takeover risk behind the scenes to determine who may be at highest risk of an attack. For example, the company has found that being exposed in a data breach at all —regardless of whether a password was exposed—increases customers’ likelihood of being targeted for SIM-swapping.

“We get some predictive data out of SpyCloud that we factor into our risk models. If you have recently appeared in a data breach, you are at elevated risk of SIM-swapping and that’s something we can take action on accordingly.”

Users’ breach exposures can reveal not only risks created by the specific information criminals have access to, but also the ways a user’s own habits can put them in danger. By including that information in risk models, the security team can identify accounts that may require additional oversight or even individual outreach for education.

“If you have 30 or 40 passwords exposed, or if 20 of them are the same, it tells us something about your security patterns as an individual. That means we can do some targeted individual outreach with clear recommendations, or factor that information into our ATO risk models. If someone has a higher risk of ATO due to their prominence in the community or the balances they carry, but they don’t demonstrate the same security hygiene that we hope for, we might want to put in some countermeasures.”

Automating Account Takeover Prevention at Scale

The company’s security operations team reviewed several options and chose SpyCloud because of its industry-leading cybersecurity expertise and robust dataset, which provided a match rate of 3-5 percent on customer-facing credentials during their initial data test.

The team was also impressed with the speed of SpyCloud’s high-volume, performant API, which is important because if the company opts to gate a user login, verification of the account credentials needs to be instantaneous. The API interface was also easy to work with during implementation, making setup a breeze.

“The SpyCloud API was super easy to integrate. It took a day and a half for our engineers, and then it was just up and running. We’ve had the integration in place for a year now and had zero issues, zero downtime. On the technology side, it’s an enterprise-grade API for us.”

With access to high-quality, regularly-updated breach data from SpyCloud, the company was able to eliminate manual sourcing for credential lists, which had been taking about half of a full-time employee’s time without coming close to satisfying the organization’s needs. In addition, the team was able to create automated workflows using the SpyCloud API that freed them up to work on higher-value projects.

“Our goal is always to automate as much as possible, and in SpyCloud’s case, we’ve been able to automate virtually 100%. That has been a tremendous time saving so we can focus on things that are more targeted, unique, or interesting.”

Automation opens up more time for activities that can help the team continually improve their sophisticated account takeover prevention program, such as performing internal investigations to evaluate trends and root cause analysis, and determine if there are additional mitigations they might be able to put into place to protect customers. To help support these activities, the team uses SpyCloud’s API to integrate SpyCloud data into their Security Orchestration, Automation and Response (SOAR) tools.

Using SpyCloud data in conjunction with SOAR tools helps the team enrich and pivot on their investigation data, as well as provide additional feedback for their account takeover modeling. For example, SpyCloud data has helped the team correlate credential stuffing botnets to understand the sources of the combolists they’re testing and determine if other accounts might be at risk. Using lists of stolen credentials, malicious actors leverage this type of botnet to bombard websites with attempts to gain access using the stolen logins.

“Given the passwords these botnets are trying, we can develop hypotheses about where they’re getting their source data and to some extent, what software is being used. This lets us pivot and see what other email addresses were exposed in that particular breach.”

Through scenarios like this, SpyCloud helps the team strengthen their defenses proactively in support of their primary objective: “We do everything we can to protect our users and their funds.”

Protecting Consumers from Credential-Stealing Botnets

SpyCloud recovers some data collected by botnets – malware infections that siphon credentials and other data from users’ systems and send them to an attacker’s command and control panel. If a user’s credentials appears in a botnet record, it’s likely that attackers also have access to a substantial amount of other sensitive data, including their personal information, additional credentials, web history, browser fingerprint, and more. These users are at extremely high risk of account takeover, and criminals often start by targeting valuable accounts such as those belonging to customers of this fintech company.

By using SpyCloud data to identify users whose data has appeared in botnet records, this company has been able to lock cybercriminals out of thousands of highly vulnerable accounts.

“With SpyCloud’s botnet data, we’ve protected thousands of accounts representing tens of millions of dollars of funds. They are users we found in SpyCloud’s botnet data, where we were able to successfully intervene and force password resets and account recoveries before an attacker was able to do something malicious with those credentials.”

Because these users’ systems have likely been compromised, the company takes steps to ensure reset passwords don’t end up right back in an attacker’s hands.

“We assume that if your [customer login] credentials appear somewhere in the botnet data, your email and phone and other mechanisms for proving you are who you say you are are compromised, too,” explained the head of the security operations team. “By educating customers about cybersecurity, the team hopes to help users eliminate the malware from their systems and prevent them from falling into similar traps in the future.”

“With the botnet data, we saw a very easy way to give a high-signal, highly targeted message to end users where not only can we say that we’re going to take more extreme security measures, lock the users’ account, and require them to re-verify; but we’re also able to send them an email saying, ‘it looks like your password was stolen due to malware; before you recover your account, we highly recommend running some sort of antivirus scan, using a password manager…’ Otherwise they’re just going to end up back in the same position.”

With valuable accounts at stake, consumers’ reactions to this outreach have been positive. Even better, this approach means the company has not only protected accounts on its own site but likely others as well, preventing immeasurable damage.


Using SpyCloud data to support consumer account takeover prevention enables this company to support one of their guiding principles: maximizing security without sacrificing usability.

“Security and usability are often seen as opposites, as tradeoffs. We strive to make sure they aren’t,” they explained. “We want to be the most secure and most trusted, but we still want to be the most useful. That’s where SpyCloud fits in because it gives us the data we need to intervene when we need to, and then leave users alone when we don’t.” Rather than forcing users to jump through hoops that might encourage more bad habits, the team strives to provide as much protection as possible without adding friction to the login process.

“We look for ways to make login and authentication as easy for users as possible and still help intervene at key points to prevent them from harming themselves. If we can see that a user has a bad pattern of setting simple, predictable passwords that are going to get them in trouble later, that allows us to do a targeted intervention. SpyCloud gives us another tool in our arsenal to protect our customers without forcing them to try to think like a security team.”

Beyond protecting consumer accounts, the team highlighted some additional benefits that are often overlooked, such as the reputational value of investing in account takeover prevention.

“We look at SpyCloud as reputation mitigation as well. You can do everything right and still end up in headlines for the wrong reasons. At a certain volume, ATO is indistinguishable from your platform’s security being compromised.”

The team also emphasized the bigger picture, pointing out how interconnected financial services accounts have become. Because of integrations between different types of accounts from both fintech and traditional financial accounts, an account compromised on one platform can easily cascade into losses for another provider. Conversely, companies with strong account takeover practices provide additional protection for providers whose users have connected accounts. Ultimately, the team hopes more financial services organizations start using SpyCloud. 

“As more companies start to use SpyCloud and check for compromised credentials, there are some really powerful network effects that can come out of it. We’ll all benefit.”

The SpyCloud Difference

Truly Actionable Recaptured Data Data

SpyCloud solutions are backed by the world’s most current and comprehensive repository of recaptured data from breaches, malware infections, and other underground sources – with billions of exposed credentials and PII. It’s the same data that fraudsters use, but we make it actionable to prevent account takeover, ransomware attacks, and online fraud.


Download the PDF version of the case study to print or share with others.