Account takeover (ATO) attacks grew 148% year-over-year through Q4 2024, with credential stuffing now costing ecommerce brands an average of $442 per incident in direct fraud loss — rising to $1,200–$1,800 all-in. Ecommerce and digital media are the hardest-hit industries, at 3.4x and 2.9x the cross-industry ATO attack rate respectively. The attack surface is fueled by 24+ billion exposed credential pairs, residential proxy networks, and cheap bot-as-a-service toolkits. Passkeys/FIDO2 show the highest documented single-control reduction at 99% on enrolled accounts, followed by adaptive MFA at 96%. The post includes multi-source data tables on attack volume trends, industry loss profiles, and defense effectiveness, with practical caveats on methodology differences across Sift, Akamai, Forter, FBI IC3, and Microsoft reports.
Table of contents
What Is the State of ATO in 2026How Has Credential Stuffing Grown Year Over YearWhich Industries Are Hit Hardest by ATOWhat Is the Average Loss per ATO IncidentWhy Ecommerce and Media Are the Top TargetsWhat Defenses Have Highest Documented ATO ReductionFAQFinal ThoughtsSort: