Code Room
On-callHardoc-g356
Subject Account takeoverLevel Senior–Staff~40 minCommon in Networking & APIs interviewsIndustries Software development, Technology

Question

Overnight your login endpoint's **success rate barely moved** (down 2%) and total volume is only up ~15% — nothing tripped your failed-login or volume alarms. But fraud reports of unauthorized logins climb the next morning. Digging in: a credential-stuffing run used a known-good combo list, so most attempts *succeeded on the first try* (low failure rate by design), spread across ~80k residential-proxy IPs at <1 req/min each, mimicking real user-agents and pacing. The attempts cluster on accounts that have **no 2FA**. How do you confirm this is stuffing (vs. a normal night), contain it, and harden — while a Black-Friday-style real traffic surge is also happening so you can't just clamp logins?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.