{ "ip_address": "198.51.100.23", "is_vpn": false, "is_proxy": false, "is_tor": true, "is_hosting": true, "is_abuse": true, "country": "RO" }






Account takeover fraud, or ATO, is when an attacker logs into a real user's account using stolen or guessed credentials, then drains value, changes details, or resells access. It usually starts with credential stuffing, phishing, or a SIM swap. Catching the risky login is the moment to stop it.
Watch the login and account-recovery moments for signals that the person is not the real owner: a login from a new IP on a VPN, proxy, or Tor, an impossible-travel jump in location, a disposable email set as the recovery address, or a VOIP number on the recovery phone. Feed those signals into your risk rules.
Credential stuffing is automated login attempts using username and password pairs leaked in other breaches. Because people reuse passwords, a small fraction succeed. The traffic usually comes from bots on data-center, VPN, or proxy IPs, which is exactly what IP signals expose at the login.
Mostly, but not completely. MFA blocks most credential-stuffing logins, yet it is weaker against MFA-fatigue attacks and SIM swaps that hijack the second factor. Layering login risk signals underneath, like a VOIP recovery number or a Tor IP, catches takeovers that slip past MFA.
The strongest login-time signals are a new or high-risk IP (VPN, proxy, Tor, or data center), a location that does not match the account's history, a disposable email on the recovery address, and a VOIP or freshly ported recovery phone. Any one raises risk; together they are a strong takeover signal.
Yes. Score the login in the background and only step up the ones that look risky. A returning user on a familiar IP and location passes straight through, while a login from a Tor exit in a new country gets an extra check. Real users rarely notice; attackers hit friction.
Abstract is the signal layer for your ATO defenses, not a full auth platform. Call its IP Intelligence, IP Geolocation, Email Reputation, and Phone Validation APIs at login and account recovery to get VPN, proxy, Tor, geo-mismatch, disposable-email, and VOIP flags. Feed them into your own rules alongside MFA and rate limiting. Start free, no credit card.