Popular Keywords

Categories

No Record Found

View All Results
Free Exposure Check
Request a Demo

Payments Platform Stops an Account-Recovery Takeover Wave with a Real-Time Exposure Signal

Executive Summary

A payments platform serving several million consumer accounts was absorbing a wave of account-takeover fraud that bypassed its login defenses entirely. Attackers were not breaking in at the login screen. They were walking in through the account-recovery flow, using exposed personal data and recycled credentials to pass recovery checks and reset passwords. The platform inserted Constella’s real-time exposure signal into the recovery flow as a risk input, cut account-takeover fraud losses by 38%, and did so without a meaningful increase in false declines.

The Challenge: The Attack Moved to the Recovery Flow

The platform had invested in login defenses, and they worked. So the fraud moved. Attackers shifted to the account-recovery flow, the path designed to help legitimate users who are locked out. Armed with personal data and credentials drawn from recycled dumps and infostealer logs, they passed recovery checks, hijacked recovery channels, and reset passwords on accounts that had never had a failed login. The fraud team could see the losses but not the signal, because nothing in the recovery flow distinguished a genuine locked-out customer from an attacker holding the same exposed data.

Transaction-based fraud models were little help. By the time a fraudulent payment appeared, the takeover had already happened. The platform needed an identity-level signal at the moment of recovery, not a transaction-level signal after the money moved.

The Solution: A Likelihood-of-Compromise Signal at the Point of Recovery

The platform integrated Constella’s exposure API as a real-time risk input in the account-recovery flow. For each recovery attempt, the API returned a likelihood-of-compromise signal based on whether the identity’s credentials and personal data appeared across breach and infostealer sources, including the recycled dumps that keep credentials in circulation for years. Because Constella’s signals are verified and normalized rather than raw, the score was precise enough to use as a control rather than a noisy hint.

  • Each recovery attempt received an exposure-based likelihood-of-compromise signal in real time, with no change to the experience for low-risk users.
  • Step up. High-exposure recovery attempts were routed to stronger verification rather than completing on the basis of the same data the attacker already held.
  • The highest-risk attempts were held for review, breaking the takeover before the password reset completed.

The Result: 38% Lower ATO Losses Without More False Declines

  • Account-takeover fraud losses fell by 38% in the first two quarters after integration.
  • False declines on legitimate recovery attempts did not rise meaningfully, because the signal targeted the high-exposure minority rather than adding blanket friction.
  • The recovery flow stopped being the soft path it had become, shifting attacker effort away from the platform.
  • The same exposure signal was extended to high-value login and payment-change flows as a programmable risk-control layer.
How does account-recovery account takeover work?

Attackers target the recovery flow because it is designed to restore access when normal credentials fail, which makes it a softer path than the login screen. Using exposed personal data and recycled credentials, they pass knowledge-based checks or hijack a recovery email or phone, then reset the password and take over the account. Because the recovery flow is built to help locked-out users, it often applies less scrutiny than login.

How does an exposure signal prevent account takeover?

A real-time exposure signal returns a likelihood-of-compromise score for the identity attempting an action, based on whether its credentials and personal data appear in breach and infostealer sources. When a recovery attempt comes from an identity with high exposure, the platform can require stronger verification or hold the request, stopping the takeover before the password is reset.

Does adding an exposure check increase false declines?

Used as a risk signal rather than a hard block, an exposure check raises friction only on high-risk attempts and lets clean ones through. Because Constella’s signals are verified and normalized rather than raw, the score is precise enough to target the risky minority, so platforms typically see fraud fall without a meaningful rise in false declines.

Conclusion

Fraud follows the path of least resistance, and when login defenses hold, it moves to recovery. The platform closed that path by adding an identity-level signal at the exact moment of risk, turning exposed-identity data into a programmable control that stopped takeovers before the money moved. Following the money through identity, rather than through transactions alone, is what made the difference.

See how a real-time exposure signal stops identity-led fraud.

Build with the API