Account Checker

Account checker refers to a type of program used by cyber criminals to gain illegal access to other people’s online customer accounts. The term is made up of the English words for customer account (account) and checker. The cybercriminal uses an account checker to check whether certain email addresses are linked to a customer account with a provider. As soon as such a customer account is found, he starts a credential stuffing process. In other words, they try to guess the right password for this customer account.

What does the term Account Checker mean in detail?

• Account checkers are relatively simple hacker programs. They can be bought ready-made and are therefore widely available.
• Where do the email addresses come from that are checked by these account checkers? From cyber incidents in which cyber criminals have captured the email addresses of customers of an online store, for example. Lists of these email addresses often circulate on the darknet. There are also similar lists of passwords or even combinations of email addresses and the corresponding passwords for hacked customer accounts.
• Many users use the same combination of email address and password for several of their customer accounts. Using the above lists, cyber criminals try to find such “twin accounts” in order to abuse them.

Where do I encounter the topic of account checkers in my day-to-day work?

Mostly probably via measures with which online stores and other providers try to prevent the success of account checkers and credential stuffing. These measures include, for example, only allowing a limited number of unsuccessful login attempts. This means that cyber criminals can only try out a few passwords during an attack.

What can I do to improve my safety?

The same security measures that you use to protect yourself against credential stuffing apply to users. Briefly summarized:

• Change passwords that you have been using for a long time.
• Use a different, secure password for each user account.
• Use a password manager if necessary.
• Use two-factor authentication where possible.

As a provider of a website with user accounts, you can increase the security of your customers by taking the following measures:

• Limit the permitted number of requests and login attempts from the same IP. Ideally, you should deny the IP access for 12 – 24 hours once this number has been reached.
• Do not give account checkers any indication as to whether an e-mail address is registered with you at all. Let your login screen always show the same behavior when incorrect entries are made. In this way, it is not possible to determine whether only the password was incorrect or also the e-mail address.
• Even with the option to reset the password, do not give any indication as to whether the e-mail address in question is even known in the system.
• A neutral response could read something like this: “We will now send you an email with a link to reset your password. If you do not receive an email from us in the next few minutes, please check the email address you entered and your spam folder. If you have any problems, simply contact our customer support.”

Closely related to this entry is our glossary entry on credential stuffing.