Credential stuffing against marketplace support accounts

Threat narrative

Attackers collect leaked corporate email/password pairs from previous breaches and run automated credential stuffing against Qubicbox and partner support consoles. Once inside, they approve fraudulent refunds, escalate tickets to bypass verification, and download customer PII for further social engineering.

Detection signals

• Multiple failed logins followed by a success from the same ASN within minutes.
• Support actions executed outside business hours or from high-risk geographies.
• API calls to export ticket CSVs or customer lists occurring in bulk.
• New device fingerprints that have never been seen on the agent account.

Preventive controls

1. Enforce multi-factor authentication for all support and partner console accounts (TOTP or hardware keys).
2. Integrate with a credential screening service to block known compromised passwords at login.
3. Rate limit sensitive support actions (refund approvals, payout overrides) and require secondary approval for high-value requests.
4. Feed suspicious login telemetry into Qubicweb to alert partner marketplaces and trigger cross-platform password resets.

Incident response actions

• Immediately revoke the agent session and force password resets for affected accounts.
• Review audit logs for refunds, verification overrides, or data exports executed during the breach window.
• Notify impacted partners/customers per NDPR/GDPR breach requirements and provide recommended remediation steps.
• Update the credential stuffing playbook with new IP ranges, user agents, and campaign identifiers.