The ATO fight moved past credential stuffing
The Hacker News argues account takeover shifted from credential stuffing to attacking verification — passkeys pushed the front door shut, so attackers moved.
The Hacker News published a trend piece Wednesday arguing that the account-takeover economy has quietly turned a corner. The Verification Step Is the New ATO Battleground in 2026 makes the case that credential stuffing — buy a dump, run it through a checker, wait for hits — has stopped being the reliable revenue line it used to be. Passkeys have reached mainstream adoption, the front door has finally got harder to kick in, and the attention has shifted downstream to the moment where trust actually gets granted: the verification step.
Analysis, not incident reporting. The Hacker News piece is a trend argument, not a report of a specific intrusion, and it deserves engagement on those terms. The shift it describes is not one anyone should be surprised by — but the fact that a mainstream outlet is treating credential stuffing in the past tense is itself a data point worth marking.
What actually shifted
For roughly a decade, the ATO market ran on the same three-step loop. Somebody breached a service, the dump ended up on a market or a Telegram channel, and the credentials made their way into automated checkers pointed at every consumer property with a login form. The economics worked because password reuse was near-universal and second factors were an opt-in feature that most users never opted into. A checker running overnight against a million rows would usually turn something up, and the something was cheap enough to be worth reselling.
Two things about that loop have been slowly falling apart. The first is that the value of a raw credential has dropped, because the credential alone is no longer what unlocks the account. Passkeys tie the login to a specific device secret that the attacker does not have; even without passkeys, the widespread adoption of push-based MFA means the credential is now one factor of two, and the second factor is the one that decides. The second is that the defensive side of the industry has finally built infrastructure — bot-management vendors, credential-stuffing detection, breach-notification services quietly feeding password-blocklists — that makes the checker run more expensive and less productive than it was five years ago.
The Hacker News reads this as the end of an era. That framing is worth taking seriously, with one caveat: eras in ATO end unevenly. Credential stuffing will keep working, well enough to keep somebody employed, against every property that has not enrolled its users in a real second factor. There are still a lot of those properties.
Where the fight moved
The verification step is a broad target and the attacks against it are not new — they are just moving up-market from research writeups into everyday practice. The general shape is easy to describe without turning this into a how-to. An attacker who cannot beat the login can try to make a legitimate user complete the login on the attacker’s behalf, by relaying the session through an adversary-in-the-middle proxy that captures the resulting cookie. An attacker who cannot beat the login can try to make the user enroll a new second factor under the attacker’s control, by calling in as help-desk or by wearing down a genuine holder with repeated MFA prompts. An attacker who cannot do either can try the recovery flow, which is nearly always the softest surface any given identity provider exposes.
CISA and multiple identity vendors have already documented each of these categories in advisories that predate the shift The Hacker News is describing; the mechanics are well-covered elsewhere and the primary sources should carry that weight, not a summary here.
The point worth pausing on is not the specific techniques. It is the pattern.
The pattern is old
Every time the defensive community closes a lane, the attacking side moves next door. The move from packet-level attacks to application-level attacks. The move from macro-enabled Office documents to LNK files, ISO files, HTML smuggling, and back to Office when a new bypass surfaces. The move from ransomware-as-encryption to ransomware-as-exfiltration when backup hygiene finally improved. The specific hallway changes; the fact that there is another hallway does not.
The ATO shift The Hacker News describes belongs to the same family. Credential stuffing did not stop working because attackers ran out of ideas; it stopped being the cheapest option because a specific defensive investment made it stop. What comes after it will be cheaper for a while, until the equivalent investment closes that lane too, and the fight moves again.
None of this is an argument against making the investment. Closing the credential-stuffing lane is a real gain. The users of every consumer service on passkeys are meaningfully harder to compromise than they were three years ago, and that gain does not evaporate just because the attackers found another door. It just means the strategic conversation about ATO has to keep moving with the attackers, rather than settling into the vocabulary of the last era while budgets get committed against a fight that has already ended.
Credential stuffing is winding down. The verification step is where the argument goes next. That is worth reading The Hacker News piece for. It is also worth remembering that whichever step ends up next after this one, the argument will move there too.
Sourcing
- The Hacker News: The Verification Step Is the New ATO Battleground in 2026 — 2026-07-08
- Related: Entra passkey-enrollment vishing targets Microsoft 365 users — 2026-07-08
- Related: Forg365 phishing platform uses AI to target M365 accounts — 2026-07-09
- Related: Helix vishing group emerges in SharePoint data-theft attacks — 2026-07-09
Found this useful? Share it.
