This is a sample of the report LogTriage generates from a single uploaded log file — no signup, no manual triage. Open the interactive demo →

CRITICAL Confidence: HIGH AI verdict · claude-sonnet-4-6 source: nginx

Credential Stuffing with Confirmed Account Compromise

Generated in ~30 seconds from a 22-line access log.

22
Events analyzed
22
High-risk events
1
Attack patterns
4 min
Time window

Executive summary

A single source (185.220.101.45, a Tor exit node) ran an automated credential-stuffing campaign against /api/v1/auth/login: 19 login attempts, 17 failures (89% failure rate), followed by 2 successful logins — confirming account compromise. One compromised account then accessed /api/v1/users/export, indicating possible data exfiltration. Immediate containment is required.

Attack pattern & evidence

Credential Stuffing → Account Takeover
  • • 19 auth requests from one IP in a 4-minute window
  • • 17 failures (89% fail rate) — automated, not human
  • • 2 successful authentications after the failure burst — compromise confirmed
  • python-requests user-agent — scripted client, no browser
  • • Source is a known Tor exit node (anonymized infrastructure)

Indicators of compromise (IOCs)

IPs
  • 185.220.101.45 (Tor exit)
ASNs
  • AS205100 — F3 Netze (Tor)
User agents
  • python-requests/2.28.0
Endpoints
  • /api/v1/auth/login
  • /api/v1/users/export

Threat intelligence verdicts

ipinfo.io Tor exit node
AbuseIPDB 100% abuse confidence, 900+ reports
ThreatFox no match
OTX seen in 40+ pulses

MITRE ATT&CK

T1110.004 — Credential Stuffing Tactic: Credential Access

Remediation steps

  1. 1

    Block 185.220.101.45 at the edge/WAF and force-terminate active sessions for the two compromised accounts.

    WAF / IdP

  2. 2

    Force a password reset + step-up MFA re-enrolment for the affected users; review actions taken after the successful logins.

    IdP

  3. 3

    Rate-limit and add credential-stuffing protection (device fingerprinting, bot detection) on /api/v1/auth/login.

    WAF

  4. 4

    Audit /api/v1/users/export access from the compromised accounts for data exfiltration.

    App logs

  5. 5

    Add a detection rule for failed-then-successful auth bursts by source IP (see our free Sigma library).

    SIEM

This report was generated automatically from one log file.

Upload yours and get the same analysis in under a minute — 50+ log formats supported.

See this detection run on a real report

Try the live demo with a pre-loaded malicious log set — no signup required — or upload your own log file and get a full AI-reviewed threat report in minutes.