Account Takeover (ATO)
What is Account Takeover (ATO)?
Account Takeover (ATO)An attack in which a criminal gains unauthorised control of a legitimate user account and uses it to steal funds, data, or commit further fraud.
Account takeover happens when an attacker obtains valid credentials, session tokens, or recovery channels for a victim's account, then logs in as that user. Common entry points include phishing, info-stealer malware, credential stuffing using leaked passwords, SIM swapping to intercept SMS codes, OAuth consent abuse, and weaknesses in account-recovery flows. Once inside, criminals exfiltrate data, drain wallets, redirect payroll, send phishing from trusted addresses, or pivot to other systems.
Credential stuffing is the most industrialised path. In the 2023 23andMe breach, an attacker replayed username/password pairs leaked from unrelated sites against the login page over roughly five months starting April 2023. Only about 14,000 accounts were directly cracked — but because 23andMe did not enforce MFA and the DNA Relatives feature exposed connected profiles, the intruder scraped genetic and ancestry data on approximately 6.9 million people. The case shows how password reuse plus missing MFA turns a handful of compromised logins into a mass data exposure, and why detection of sustained, distributed login attempts matters.
Mitigations include phishing-resistant MFA (FIDO2/passkeys), device binding, anomaly-based login analytics, step-up authentication for risky actions, breached-password screening (aligned with NIST SP 800-63B), rate-limiting and bot detection on login, and rapid session and token revocation when abuse is detected.
flowchart LR
L[Leaked credentials /<br/>phishing / info-stealer] --> A[Attacker]
A --> B{Login attempt}
B -->|no MFA| C[Account compromised]
B -->|phishing-resistant MFA<br/>+ anomaly detection| D[Blocked / step-up]
C --> E[Data theft, fraud,<br/>scrape connected profiles]
C --> F[Lateral pivot /<br/>send phishing from trusted account]
D -.->|risk score| G[Session & token revocation]● Examples
- 01
Reusing leaked credentials from another site to log in to a banking portal.
- 02
The 2023 23andMe credential-stuffing breach that exposed data on ~6.9 million users.
● Frequently asked questions
What is Account Takeover (ATO)?
An attack in which a criminal gains unauthorised control of a legitimate user account and uses it to steal funds, data, or commit further fraud. It belongs to the Attacks & Threats category of cybersecurity.
What does Account Takeover (ATO) mean?
An attack in which a criminal gains unauthorised control of a legitimate user account and uses it to steal funds, data, or commit further fraud.
How do you defend against Account Takeover (ATO)?
Defences for Account Takeover (ATO) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Account Takeover (ATO)?
Common alternative names include: ATO, Account compromise.