Account Takeover (ATO)
What is Account Takeover (ATO)?
Account Takeover (ATO)An attack in which a criminal gains unauthorised control of a legitimate user account and uses it to steal funds, data, or commit further fraud.
Account takeover happens when an attacker obtains valid credentials, session tokens, or recovery channels for a victim's account, then logs in as that user. Common entry points include phishing, info-stealer malware, credential stuffing using leaked passwords, SIM swapping to intercept SMS codes, OAuth consent abuse, and weaknesses in account-recovery flows. Once inside, criminals exfiltrate data, drain wallets, redirect payroll, send phishing from trusted addresses, or pivot to other systems. Mitigations include phishing-resistant MFA (FIDO2/passkeys), device binding, anomaly-based login analytics, step-up authentication for risky actions, breached-password screening, and rapid session and token revocation when abuse is detected.
● Examples
- 01
Reusing leaked credentials from another site to log in to a banking portal.
- 02
Phishing the victim's password and MFA code, then disabling recovery options.
● Frequently asked questions
What is Account Takeover (ATO)?
An attack in which a criminal gains unauthorised control of a legitimate user account and uses it to steal funds, data, or commit further fraud. It belongs to the Attacks & Threats category of cybersecurity.
What does Account Takeover (ATO) mean?
An attack in which a criminal gains unauthorised control of a legitimate user account and uses it to steal funds, data, or commit further fraud.
How does Account Takeover (ATO) work?
Account takeover happens when an attacker obtains valid credentials, session tokens, or recovery channels for a victim's account, then logs in as that user. Common entry points include phishing, info-stealer malware, credential stuffing using leaked passwords, SIM swapping to intercept SMS codes, OAuth consent abuse, and weaknesses in account-recovery flows. Once inside, criminals exfiltrate data, drain wallets, redirect payroll, send phishing from trusted addresses, or pivot to other systems. Mitigations include phishing-resistant MFA (FIDO2/passkeys), device binding, anomaly-based login analytics, step-up authentication for risky actions, breached-password screening, and rapid session and token revocation when abuse is detected.
How do you defend against Account Takeover (ATO)?
Defences for Account Takeover (ATO) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Account Takeover (ATO)?
Common alternative names include: ATO, Account compromise.
● Related terms
- attacks№ 232
Credential Stuffing
An automated attack that replays large lists of username/password pairs leaked from one service against other services, exploiting password reuse to take over accounts.
- attacks№ 821
Phishing
A social-engineering attack in which an attacker impersonates a trusted party to trick a victim into revealing credentials, transferring money, or running malware.
- attacks№ 1047
SIM Swapping
A fraud technique in which an attacker tricks or bribes a mobile carrier into transferring a victim's phone number to a SIM the attacker controls.
- identity-access№ 708
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.
- attacks№ 1016
Session Hijacking
An attack that takes over a victim's authenticated session by stealing or forging the session identifier so the attacker can act as the user without their credentials.
- malware№ 531
Info Stealer
Malware that harvests credentials, cookies, tokens, crypto wallets, and other sensitive data from an infected device and exfiltrates it to the attacker.
● See also
- № 511Identity Theft
- № 1021Sextortion
- № 144CAPTCHA
- № 218Conversation Hijacking
- № 118Bot Management
- № 230Credential Harvesting
- № 519Impossible Travel Detection
- № 164Chargeback Fraud