Account takeover happens when cybercriminals acquire stolen login credentials — often using reused passwords from data breaches — to gain access to your accounts. They can use these accounts to commit unauthorized transactions, cash in loyalty points or other rewards, and more.

For the victim, it can cost a great deal of time and money to clean up after the damage is done. For companies, it can strain relationships, increase chargebacks, and hurt reputations.

How it Happens

Account takeover is a form of identity theft in which cybercriminals gain access to online accounts with stolen credentials. When criminals successfully take over a user account, they can make fraudulent transactions, steal credit card or bank information, and even use the victim’s identity to defraud others.

Criminals may launch ATO attacks for a variety of reasons. They may target individuals to carry out phishing or ransomware attacks that demand payments, steal cryptocurrency, and more. They may also target organizations with consumer-facing login systems, such as banks, shopping sites, streaming platforms, or government services like Medicare.

In these attacks, cybercriminals leverage password-guessing or brute-forcing methods to get unauthorized access to an account. They often purchase a list of credentials from the dark web and then deploy bots to test them across popular travel, retail, finance, e-commerce, and social media sites, among many others. Once they have a list of verified usernames and passwords, they can sell them for profit or use them to attack more accounts.

For businesses, ATO is a costly problem. Aside from the financial losses associated with ATO, a compromised account can lead to a loss of reputation and trust in a company’s security measures. Ultimately, these issues can lead to a decline in revenue and long-term damage to a brand’s image.

That answers the question, what is account takeover?


Account takeover attacks can occur anywhere there are accounts, and any account is a potential target. Attackers who gain access to a bank account can transfer money, steal checking routing numbers, and steal personal information like addresses or credit card details. Hackers accessing an e-commerce account can cash in rewards points or make fraudulent purchases. Attackers that take over an account associated with government benefits like Medicare can cause delays in benefits for people who need them most.

Most of these attacks happen because people rely on the same simple passwords in their professional and personal lives and because hackers can use various methods to guess those passwords and gain access. While a successful account takeover attack may not be enough to impact a company, it can provide a foothold for other types of cyberattacks like data theft or ransomware.

Detecting an account takeover attack is about recognizing the patterns that attackers will look for and responding quickly and effectively. This requires a system that continuously monitors account activity, not just during login but before and after login. For example, a sudden increase in login attempts from different IP locations can be an indicator that a breach has happened. Changes to shared details like email addresses and passwords can also indicate tampering.


The most effective way to prevent account takeover is with a continuous monitoring solution that can stop attackers. These solutions are designed to detect unauthorized changes to a customer’s accounts and provide the fraud team with the information needed to respond quickly.

Most attacks start with stolen credentials, often leaked in data breaches. Cybercriminals then use these credentials to gain access to users’ accounts. Once inside, they act as the actual account owner by abusing website functions to perform various illicit activities, including money transfers, credit card transactions, and purchases of products or services.

These fraudulent actions can have severe repercussions for the victim. For example, criminals can change passwords, notifications, and other account preferences so the account holder won’t receive notifications alerting them to suspicious activity. They can also exploit a compromised account for financial gain, as well as for their political agendas or to commit other types of crimes.

To prevent this, cybersecurity teams can set login attempt limits and use device tracking to detect suspicious behavior – such as repeated login attempts from a device 200 miles away from the user’s location. They can also deploy challenges such as CAPTCHAs that rely on human input and require image processing rather than simple text-based recognition, making them more difficult for bots to solve.


Account takeover occurs when cybercriminals access a user’s login credentials through phishing, data breaches, malware, and social engineering. The stolen credentials are used to access a victim’s online accounts and execute fraud. This can include stealing a credit card, transferring money, redirecting shipments, buying goods, gaining access to rewards points, and even reselling subscription information. Criminals may also use accounts to purchase virtual currencies and services. The resulting financial losses and the loss of customer trust can damage brand reputation and lead to long-term loss in revenue and repeat business.

The good news is there are signs to detect and respond to account takeover attacks before they escalate. An uptick in failed login attempts and password changes, a sudden drop in rewards points or loyalty perks, and a change to account information like the bank card on file are all indicators of a breach. Businesses can spot these signals by continuously monitoring all account activity and looking holistically at an entire request data set.

Aside from the direct monetary costs of fraud, other losses are becoming more prevalent. For example, a Kount 2020 survey found that 6 in 10 consumers would be less likely to shop at an online retailer again if that retailer’s security measures caused them to lose trust and loyalty. In addition, state Attorney Generals are filing lawsuits against companies that don’t correctly prevent account takeover attacks, setting a precedent for consumer protection laws against these violations.