(Scenario) How a Fintech Startup Stopped a Credential Stuffing Campaign in 11 Minutes

(Scenario)

At 2:47 AM on a Tuesday, Paylane's on-call engineer was asleep. So was every member of their four-person engineering team. They had no SOC, no security analyst, and no SIEM. What they did have was LiteSOC — and it was about to earn its keep.

The Company

Paylane is a seed-stage payment infrastructure startup processing transactions for e-commerce businesses in Southeast Asia. They handle sensitive financial data, are working toward PCI-DSS compliance, and have exactly the kind of user base that makes them a target: merchants with stored payment methods and high account values.

Their engineering team had integrated LiteSOC six weeks earlier during a routine security review. The integration took about 20 minutes, a single SDK call wrapping their existing authentication logic.

What Happened

At 2:47 AM, an attacker began feeding credentials through Paylane's login endpoint. Not a brute-force attack against one account, a credential stuffing campaign: a list of email/password pairs from previous unrelated breaches, tried systematically across thousands of accounts.

The attack was structured to evade naive rate limiting:

• Requests originated from 47 different IP addresses across 12 countries
• Each IP attempted fewer than 10 logins
• Requests were spaced 800ms–3s apart to avoid velocity thresholds
• The attacker rotated User-Agent strings on every request

A traditional WAF would have seen nothing unusual. A per-IP rate limiter would have seen nothing unusual. But LiteSOC was correlating across the entire login.failed event stream for the organization.

The Detection

LiteSOC's brute force detection engine doesn't operate per-IP in isolation. It maintains a rolling 10-minute window across all failed login events for an org, grouped by actor_id (the email being targeted). When the same account sees multiple failures from different IPs, that's the signal.

By 2:51 AM — four minutes into the attack, LiteSOC had observed:

• 312 login.failed events across 4,200 unique actor IDs
• 47 distinct source IPs, none individually exceeding threshold
• 6 accounts with 5+ failures: a clear credential stuffing pattern

A Critical severity alert fired at 2:51:34 AM:

🚨 CRITICAL: Distributed Credential Stuffing Attack Detected

312 failed login attempts across 4,200 accounts
47 source IPs across 12 countries
6 accounts compromised (valid credentials confirmed)

Recommended action: Force password reset on flagged accounts

The alert landed in Slack, Discord, and triggered a webhook to Paylane's incident response runbook in Notion. Their on-call engineer woke up at 2:53 AM.

The Response

By 2:58 AM — 11 minutes after the attack began — Paylane had:

1. Identified the 6 compromised accounts from LiteSOC's alert metadata, which included the specific actor_id values that had both failed and then succeeded
2. Force-reset passwords on all 6 accounts via their admin panel
3. Temporarily rate-limited the login endpoint to 3 attempts per email per 15 minutes

The attacker's success rate was 6 out of 4,200 attempts, 0.14%. None of the 6 compromised accounts had completed a transaction before Paylane locked them.

The Forensics

After containing the incident, Paylane's engineer spent 20 minutes in the LiteSOC dashboard reviewing the attack timeline. The forensics view showed:

Geographic spread of attacker IPs:

• Vietnam (11 IPs)
• Indonesia (8 IPs)
• Thailand (7 IPs)
• Philippines (6 IPs)
• Malaysia (5 IPs)
• 10 other countries (10 IPs)

Network intelligence on source IPs:

• 41 of 47 IPs flagged as datacenter/VPS infrastructure
• 3 flagged as known Tor exit nodes
• 3 residential proxies

Attack timing: Requests accelerated between 2:47–2:52 AM, then abruptly stopped at 2:52 AM — suggesting the attacker detected the rate-limiting response and aborted.

The credential list being used was cross-referenced against Have I Been Pwned data and matched a 2024 breach of a Southeast Asian e-commerce platform — the same user base Paylane's merchants serve.

The Impossible Travel Signal

One of the 6 compromised accounts triggered a second LiteSOC alert 3 minutes after the initial compromise: an Impossible Travel detection.

The attacker had successfully authenticated from an IP in Ho Chi Minh City at 2:49 AM. But that same account had a legitimate login from Singapore at 11:43 PM the previous night — 3 hours and 6 minutes earlier. LiteSOC calculated:

• Distance: 1,094 km
• Time elapsed: 186 minutes
• Required speed: 353 km/h ✅ (under the 1,000 km/h threshold — not flagged as impossible)

This was borderline, but LiteSOC's geo-anomaly detection caught a different signal: the Singapore session used a MacOS Chrome fingerprint; the Ho Chi Minh City session used a Linux headless browser fingerprint. Combined with the network intelligence showing a datacenter IP, this account was automatically escalated to Critical severity even without the impossible travel threshold being breached.

What It Cost

Paylane is on LiteSOC's Pro plan at $49/month. Their alternative, a junior security analyst contractor reviewing logs manually would have cost roughly $3,000/month and realistically wouldn't have been awake at 2:47 AM.

The 6 compromised accounts had a combined account balance of $14,200. None of it was lost.

Lessons

1. Credential stuffing is a volume game. Attackers know per-IP rate limiting is the standard defense. The only reliable countermeasure is cross-account correlation — seeing that the same credential list is being tried against many accounts simultaneously.

2. Network intelligence matters. The 41 datacenter IPs were the tell. Legitimate users don't log in from AWS spot instances at 3 AM.

3. 11 minutes is the window. Most credential stuffing campaigns complete their valid-credential harvest in under 15 minutes before operators respond. Detection has to be automatic and the alert has to wake someone up — not appear in a dashboard nobody checks overnight.

4. SOC 2 evidence is a byproduct. Every alert, every forensic event, every response action was automatically recorded in LiteSOC's audit log. Paylane's upcoming SOC 2 Type 1 audit will include this incident as evidence of their incident response process with timestamps, actor data, and documented containment actions without any manual documentation effort.

---

Paylane integrated LiteSOC in 20 minutes. The attack happened six weeks later. The math worked out.

If you're a startup handling sensitive user data without a dedicated security team, start your free trial, you don't need to be breached to justify the cost, but it's useful to know what the cost of not having it looks like.