Defining exposure, costs, and impact of compromised end user accounts

Executive Summary 

Session hijacking has emerged as the preeminent way for cybercriminals to execute account takeover attacks (ATO) and they enable the bypassing of traditional security measures like multi-factor authentication (MFA). This research report explores the prevalence of session hijacking across industries, highlighting its increasing role in ATO incidents and the economic impact it poses for organizations.

Key findings from the report include:

• Exposure rates vary by industry, with social media, cloud applications, and entertainment platforms having the highest numbers of average monthly compromised sessions
• The average annual growth rate of exposed accounts is 28% which is largely tied to the proliferation of infostealer malware 
• The economic impact of ATO and session hijacking is significant, factoring in:
  • Labor costs for security investigations (~$26.2M annually for a large streaming platform)
  • Fraud losses from account takeovers (~$7.5M annually)
  • Customer churn risk, which can lead to tens of millions in lost revenue each year.

This report underscores the urgent need for proactive ATO prevention strategies, emphasizing the role of automated identity intelligence, session re-authentication policies, and early exposure detection in mitigating the risks associated with session hijacking.

Session Hijacking – “The Path of Least Resistance” to Account Takeovers (ATO)

An account takeover (ATO) attack is exactly what it sounds like—when a cybercriminal or threat actor gains unauthorized access to an account for a web application. Whether the account is personal or a corporate asset, attackers have numerous ways to exploit or monetize stolen credentials. This report primarily focuses on personal accounts, examining how ATO impacts some of the world’s most widely used web applications, most of which are business-to-consumer (B2C) rather than business-to-business (B2B) products.

Attackers have historically used several methods to take over accounts, including phishing, social engineering, leveraging credential leaks, brute-force attacks, or simply guessing weak passwords. (At the time of this report, one of the more common passwords is likely some variation of Winter2025.) Over the years, account security has improved significantly, with password complexity requirements, login attempt limits, and multi-factor authentication (MFA) becoming standard, even for consumer applications.

However, one technique remains largely unaffected by these security measures: session hijacking. This method exploits session cookies or tokens—technology designed to improve user convenience—against the user. Despite being a well-known technique, session hijacking has played a role in major breaches, including the 2023 Okta incident. The fact that even reputable cybersecurity companies have fallen victim to this method underscores the difficulty of defending against it.

In 2024, Google researchers reported that session cookie-based attacks occur as frequently as password-based attacks. The increasing prevalence of session hijacking can be simply explained through the classic “motive, means, and opportunity” framework for analyzing crime (see Figure 1). This technique sits at the intersection of:

• Lucrative financial incentives (covered later in this report).
• Widespread availability of low-cost or free tools that allow attackers to easily replicate browser sessions, often referred to as “anti-detect” browsers.
• Infostealer malware operations which Flare has reported on in depth over the years. “Stealer logs” containing compromised session tokens and credentials kick off the flywheel of opportunity by providing a steady supply of fresh stolen data that can be leveraged in attacks.  

Session Hijacking Exposure by Industry 

Data Preface

The data you will find in this section is largely based on infected devices. In other words, devices where infostealer malware was successfully executed and browser data was extracted. The data is based on collection efforts spanning approximately four years. For simplicity, we recommend assuming one exposed device corresponds to one exposed account. While it’s certainly true that a number of infected devices may contain multiple exposed accounts for the same application, and a number of exposed accounts may appear on multiple infected devices, these subsets are assumed to more or less balance each other out. This 1:1 estimation provides a reasonable, albeit imperfect, baseline into ATO and session hijacking exposure. The data focuses on over 100 of the world’s most widely used web applications, broken down by industries and sub-industries, with company names anonymized. 

ATO Exposure Rate

  Average New Exposed Accounts (Monthly)

Average New Exposed Accounts (Monthly) – Scaled View

Observations

Additionally, stricter policies around session cookies and authentication contribute to the relatively low exposure observed in cybersecurity, banking, and gambling applications.

There is a clear correlation between the number of users a web application has and its exposure within Flare’s database. Large social media platforms, with hundreds of millions of users worldwide, tend to have higher exposure, whereas cryptocurrency exchanges and gambling websites typically have a smaller user base and correspondingly lower exposure.

It is important to consider the inherent device bias in this dataset. In most cases, these accounts were leaked from a browser on a Windows laptop or desktop rather than a mobile device like a smartphone or tablet. As a result, applications primarily used on mobile devices are underrepresented in this dataset.

Estimated Annual Growth Rate in Exposed Devices

The following data is based on Flare’s collection efforts dating back to 2021. This growth rate is a reflection of the annualized year over year growth of exposed accounts over the past four years.

Observations

• Fintech or financial technologies representing the highest growth rate could be a sign of both increased worldwide adoption of these services and increased attacker opportunity. 
• Gambling coming in at the lowest growth rate is interesting, considering the explosion in growth and visibility that industry has seen in North America. The aforementioned authentication practices and device bias could account for this. 

Quantifying the Economic Impact of Session Hijacking for Large Web Apps 

Precisely quantifying the economic impact of session hijacking is challenging. To help organizations estimate their risk, we’ve developed an ROI calculator that breaks down web app exposure by industry. By multiplying the average monthly exposed accounts  by the approximate cost of a single account takeover, organizations can derive a baseline estimate of risk exposure to active sessions. It’s important to note that this calculator is by no means exhaustive, and other factors – namely labor, fraud, and customer churn – must be considered to gain a comprehensive understanding of session hijacking risks.

Labor 

Labor is a simultaneously obvious and yet under-quantified cost. In 2023, Amazon disclosed that they invested over $1.2 billion and dedicated over 15,000 employees to fraud and abuse, implying over 25 million working hours per year. Only a select few companies in the world have these kinds of resources, however. A better way to think about labor costs is on a per investigation basis, which we’ve broken down in the box below. 

Account Takeover Investigation Cost Assumptions 

1. Hourly rate assumption: $60-$75

• Assumes a $130K – $150K “fully loaded” salary and additional compensation package for a cybersecurity or fraud/risk professional 

2. Time spent per true-positive investigation: 30 Minutes to 1 Hour 

• Assumes time spent triaging alerts from detection tools, correlating data from threat intelligence sources and internal logs, and any relevant cross functional communication that occurs before an action is taken 

In practice, an investigation could be faster (30 minutes, $30–$40) if it’s straightforward, or slower (2 hours, $130–$150) if it’s complex. But $70 is a good baseline average for labor on a single account takeover investigation.

By multiplying $70 dollars by the number of annual account takeover investigations, you can establish a baseline for labor costs. This calculation also highlights potential savings opportunities from implementing proactive, automated, and scaled workflows built on identity intelligence. For instance, if newly discovered credentials and active sessions are automatically flagged for password resets and session re-authentication, the volume of account takeover investigations can be reduced—saving $70 dollars for each incident avoided and unlocking more time for busy analysts to spend on higher value tasks. 

Fraud Losses 

Losses from fraudulent activity following an account takeover can vary wildly based on the industry and the type of web application involved. For instance, accounts for streaming services typically present lower fraud risks, more or less limited to the value of their monthly subscriptions. In contrast, merchant accounts for e-commerce platforms can result in losses reaching tens of thousands of dollars or more. Below is a chart summarizing estimated per-account fraud losses broken down by industry. While not comprehensive, we intended to illustrate the diverse ways a single compromised account can be exploited for fraudulent activities.

The Sift report is particularly valuable because it captures both customer sentiment and real-world security experiences, shedding light on how well companies communicate risks and respond to ATO incidents. Using these insights as a baseline, we built a model around Vidz2Stream, a fictional streaming platform with 150 million global users, charging $20 per month ($240 per year) for its service:

ATO Customer Churn Model for Fictional Streaming Platform Viz2Stream

• Total customers: 150 million
• ATO incidence rate: 0.5%
  • We discussed a 1.4% median ATO exposure rate earlier in the report. Understanding that not all exposures are acted upon by cybercriminals, we’re estimating a 0.5% incident rate, roughly 1/3rd of the exposure rate.
• Implied number of customers impacted by ATO per year: 750,000
• Blame the Brand/Company Sentiment: 73%
• ATO Notification Split:
  • Notified by the company (43%): ~322,500
  • Not notified (57%): ~427,500
• Churn Rate Assumptions:
  • Notified + Blame Brand: 15%
    • Even if they blame the brand, being notified builds some goodwill or at least shows the company took proactive steps. We assume a lower churn than if they were not notified.
  • Notified + Don’t Blame Brand: 5%
    • This group is relatively more forgiving. They trust that “incidents happen,” and the company did the right thing by informing them. A 5% churn rate reflects a smaller fraction that might still quit out of an abundance of caution.
  • Not Notified + Blame Brand: 30%
    • This group is likely to feel betrayed because they blame the company and the company failed to notify them. Thus we assume a significantly higher 30% churn rate.
  • Not Notified + Don’t Blame Brand: 10%
    • Although they don’t blame the brand, they still might be upset they weren’t informed. Some may leave. We assume a 10% churn rate as a midpoint between minimal discontent (e.g., 5%) and active dissatisfaction (e.g., 30%).
• Total Assumed Churn: 145,000 users per year
  • Based on the percentage estimates outlined in Churn Rate assumptions.
• Revenue Impact: $34.8 million annually
  • 145,000 churned users multiplied by annual $240 subscription cost

Combining Labor, Fraud, and Customer Churn

To get a holistic understanding of how much ATO and session hijacking costs your business on an annual basis, we can combine all three cost factors. Let’s again use the fictional company Vidz2Stream and their profile to add up the costs and quantify the magnitude of this problem:

• Labor
• 375,000 x 70 = $26.2M
  • Security teams cannot investigate all the incidents they are alerted on due to the ubiquitous problem of “alert fatigue”. Various sources put the number around 40-60% investigation9. Let’s split the difference and assume the Vidz2Stream security team investigates half of their estimated 750,000 ATO incidents.
• Fraud
• $20 X 375,000 = $7.5M
  • Let’s assume that the 375K investigations successfully negated any fraud costs related to those accounts.
  • Let’s assume the other 375K resulted in fraud losses equaling the value of 1 month of a Vidz2Stream subscription ($20).
• Churn
• $34.8M as calculated in the previous section.

Conclusion

In the case of Vidz2Stream, ATO and Session Exposure costs at least $68.5 million dollars annually.

We hope this data provides valuable insights into the scale, impact, and industry trends surrounding exposed sessions. More importantly, we hope it inspires security teams to improve or augment detection and response strategies—shifting toward proactive measures that identify, monitor, and remediate exposed sessions before they can be exploited to head off fraud risks, unlock labor efficiencies, and deliver better security outcomes for end customers.

Account Takeover Fraud Prevention and Flare

The Flare Account Takeover Prevention solution empowers organizations to proactively detect, prioritize, and mitigate cookie hijacking. Our platform automatically scans the clear & dark web and prominent threat actor communities 24/7. By identifying accounts at risk of being compromised, Flare enables organizations to take preventive measures against account misuse. 

Flare integrates into your security program in 30 minutes and often replaces several SaaS and open source tools. Learn more by booking a demo.