Excessive account deletion from an IP

Goal

Detect excessive account deletions from an IP.

This may be caused by a malicious actor who found an exploit to damage your platform.

Strategy

Count the number of users that were deleted by an IP.

Require the account deletion to be flagged using a user event with a usr.id metadata field set to the user being deleted.

usr.id must be provided and unique, even if the user didn’t exist.

A Medium signal is then generated if more than 5 accounts are deleted within 5 minutes.

Triage and response

  1. Investigate the user activity and validate that it is legitimate.
  2. Review your account deletion process to ensure users can’t be impersonated.
  3. Consider blocking the IP to slow down the attacker, or disable the account deletion route.