This flaw occurs when a hacker finds the user's identity, credentials (both username and password), or web session. This can happen when a system:

• Allows automated attacks, where the attacker can guess valid usernames and passwords
• Permits brute force or other automated attacks
• Allows default, weak, or well-known passwords, such as Password123
• Uses weak or ineffective credential recovery and forgot-password methods
• Uses plain text, encrypted, or weakly hashed passwords
• Exposes Session IDs in the URL
• Does not manage the Session properly after a successful login