← Back to Attack Types

Account Takeover Attacks

High Threat Level

Phishing-based credential theft leading to unauthorized account access for fraud, data theft, and lateral attacks

24B
Credential pairs available on dark web (2023)
$11.4B
Annual losses from account takeover fraud
120 Days
Average time to detect account compromise

What is Account Takeover?

Account takeover (ATO) occurs when an attacker gains unauthorized access to a user's account by stealing credentials through phishing, data breaches, or malware. Once inside, attackers use the compromised account for financial fraud, data theft, or as a launching point for attacks against contacts and colleagues.

Phishing is the primary method for ATO attacks. Fake login pages harvest credentials in real-time, credential stuffing uses stolen passwords from breaches, and sophisticated attacks bypass MFA through session hijacking or social engineering.

Why Account Takeover is Devastating:

  • Attacker has same access as legitimate user
  • Can hide activity by deleting logs and emails
  • Uses trusted account to attack organization from inside
  • Steals sensitive data, financial information, intellectual property
  • Launches secondary attacks against contacts (BEC, phishing)
  • Often undetected for months while damage accumulates

Account Takeover Attack Lifecycle

Phase 1: Credential Acquisition

How attackers steal login credentials:

  • Phishing emails: Fake login pages for Office 365, Gmail, banking sites
  • Data breaches: Purchasing credential dumps from dark web
  • Credential stuffing: Testing stolen passwords across multiple sites
  • Keyloggers/malware: Recording passwords as user types
  • Social engineering: Tricking help desk into password reset

Phase 2: Initial Access & Persistence

Attacker establishes foothold in compromised account:

  • Log in from attacker's device/location
  • Create email forwarding rules to monitor communications
  • Add attacker's email as recovery option
  • Register additional MFA devices
  • Generate API tokens or app passwords for persistent access
  • Disable security alerts and login notifications

Phase 3: Reconnaissance & Exploitation

Attacker explores account and plans next move:

  • Read emails to understand business relationships and operations
  • Identify high-value targets (CFO, finance team, vendors)
  • Search for sensitive data (financials, M&A, customer lists)
  • Map organizational structure and approval processes
  • Prepare for BEC attack, data exfiltration, or ransomware deployment

Phase 4: Attack Execution

Attacker monetizes or weaponizes compromised account:

  • BEC fraud: Email finance team requesting wire transfer
  • Lateral phishing: Send phishing emails to contacts from trusted account
  • Data theft: Exfiltrate customer data, financial records, trade secrets
  • Ransomware: Deploy malware using compromised credentials
  • Identity theft: Use personal information for financial fraud

Real-World Examples

Twitter High-Profile Account Takeover (2020)

Attackers compromised Twitter employee accounts through social engineering, then took over verified accounts of Elon Musk, Barack Obama, Bill Gates, Apple, and others to run cryptocurrency scams.

Impact: $120,000+ stolen via Bitcoin scam, massive brand damage, SEC investigation

MGM Resorts Ransomware via ATO (2023)

Attackers called help desk impersonating IT admin, convinced them to reset password, gained access to IT admin account, then deployed ransomware across hotel/casino systems.

Impact: $100M+ losses, 10 days of slot machine downtime, guest room key systems offline

Detection Signs of Account Compromise

Account Behavior Anomalies:

  • Login notifications from unfamiliar locations or devices
  • Password reset emails you didn't request
  • New MFA devices or recovery emails added
  • Unfamiliar email forwarding rules or filters
  • Emails in Sent folder you didn't send
  • Contacts receiving suspicious emails "from you"

Technical Indicators:

  • Multiple failed login attempts before successful access
  • Login from impossible travel (NYC then Moscow 30 min later)
  • Login from suspicious IP addresses (VPN, Tor, known malicious)
  • Unusual API token generation or OAuth app permissions
  • Access to sensitive data you don't normally view

Business Impact Indicators:

  • Colleagues asking about suspicious emails you supposedly sent
  • Unauthorized financial transactions
  • Missing emails or deleted folders
  • Changes to account settings you didn't make
  • Customer complaints about communications you didn't send

Prevention Strategies

1. Strong Authentication (CRITICAL)

  • Enable MFA everywhere: Email, banking, social media, work accounts
  • Use authenticator apps: Not SMS (vulnerable to SIM swapping)
  • Hardware security keys: YubiKey, Titan Key for high-value accounts
  • Unique passwords: Different password for every account
  • Password manager: Generate and store strong random passwords

2. Phishing Awareness

  • Never click login links in emails - type URL directly
  • Verify login pages show correct domain (microsoft.com not rnicr0soft.com)
  • Check for HTTPS and valid certificate before entering credentials
  • Use HeaderScope to verify suspicious emails before clicking
  • Be suspicious of urgent password reset requests

3. Monitor Account Activity

  • Review login history monthly (Google, Microsoft, social media)
  • Enable login alerts for all accounts
  • Check active sessions and revoke unfamiliar devices
  • Review authorized OAuth apps and API tokens
  • Monitor email forwarding rules and filters

4. Data Breach Response

  • Use Have I Been Pwned (haveibeenpwned.com) to check for breaches
  • Change password immediately if account appears in breach
  • Check all accounts using same or similar password
  • Never reuse passwords across different accounts

If Your Account is Compromised

Immediate Actions (First Hour):

  1. Change password immediately from trusted device (not compromised one)
  2. Revoke all active sessions to kick attacker out
  3. Remove unauthorized MFA devices, recovery emails, phone numbers
  4. Check and delete malicious email forwarding rules
  5. Revoke OAuth app permissions for unfamiliar applications
  6. Alert IT/security team immediately (business accounts)

Follow-Up Actions (24-48 Hours):

  1. Review sent emails for unauthorized messages, warn recipients
  2. Check account settings for any other changes (signature, auto-reply)
  3. Scan all devices with antivirus/antimalware
  4. Review financial accounts for unauthorized transactions
  5. File reports: FBI IC3, FTC, company security team
  6. Notify affected parties: Contacts, customers if data accessed
  7. Change passwords on other accounts using same password
  8. Monitor credit reports if personal information was compromised

Detect Phishing Before Account Takeover

Most account takeover attacks start with phishing emails. Use HeaderScope to analyze suspicious login requests, password resets, and security alerts before clicking links or entering credentials.

Analyze Email Headers →