A single attacker has mounted two massive account takeover (ATO) campaigns against a financial institution and an entertainment company earlier this year, and used a gigantic botnet comprised of home routers and other networking products to do it. “ATO attacks (also known as credential stuffing) use previously breached username and password pairs to automate login attempts. This data may have been previously released on public dumpsites such as Pastebin or directly obtained by attackers through … More ?

See the article here:
Botnet-powered account takeover campaign hit unnamed bank