My IP Help

Account Takeover

Also known as: ATO

An attack where a fraudster gains control of a legitimate user's account — typically through credential theft — and then uses it to steal funds, data, or reputation.

Last updated:

What is account takeover?

Account takeover (often abbreviated ATO) is the endpoint of a successful credential-based attack: the attacker is now logged in as the victim, with the victim's full permissions, and the application has no way to distinguish them from the real user. The pre-attack phase uses phishing, credential stuffing, brute force, SIM swapping, session-cookie theft, or malware to obtain the credentials or session. What happens next depends on the kind of account.

ATO by account type

  • Bank and brokerage accounts — drain funds, change wire-transfer instructions, open lines of credit against the victim's assets
  • Email accounts — reset passwords on every other service the victim uses, since password-reset links land in the inbox; one compromised email often cascades to a dozen more compromises
  • E-commerce accounts — order high-value goods shipped to a reshipping address, commit carding with stored cards
  • Social media accounts — DM the victim's contacts with phishing links or crypto scams, using the victim's reputation as social proof
  • SaaS/corporate accounts — exfiltrate customer data, insert persistent access, move laterally into other accounts

Detection and defense

Detection focuses on "unusual for this user" signals: a login from a country they've never been to, a device fingerprint that doesn't match, a login time outside their normal pattern, or a password change followed immediately by a high-value transaction. IP reputation layers on top — a login from a datacenter or residential-proxy IP for a user who normally logs in from a single home ISP is a strong ATO signal. Defenses combine MFA (usually breaks ATO even when the password is known), session reauthentication on sensitive actions, and downstream anomaly scoring. Running the login IP through an IP abuse report checker flags attempts from known-abuse infrastructure.

Frequently Asked Questions

Account takeover is a fraud pattern in which an attacker gains working credentials or a valid session for a legitimate user's account and then operates as that user — draining funds, ordering goods, sending fraud messages to the victim's contacts, or pivoting into other accounts. The application cannot tell the attacker from the real user.
The main paths are phishing (the user types their password into a fake login), credential stuffing (attackers replay leaked username/password pairs from other breaches), brute force against weak passwords, SIM swapping to intercept SMS MFA codes, session-cookie theft from malware or cross-site scripting, and social engineering of support staff.
Look for logins from a country or device the user has never used, password changes followed immediately by withdrawals or shipping-address changes, impossible travel (two logins far apart in time too short to travel between), logins from datacenter or residential-proxy IPs for a user who normally logs in from a single home ISP, and sudden changes to email, phone, or MFA settings.
MFA blocks the large majority of credential-stuffing and bulk phishing-based ATO — attackers have the password but not the second factor. It does not fully stop phishing kits that proxy the MFA prompt in real time (adversary-in-the-middle), SIM-swap attacks against SMS-only MFA, or session-cookie theft after the user has authenticated. Phishing-resistant MFA (passkeys, FIDO2 security keys) closes most of that gap.
Change the password from a known-clean device, revoke all active sessions, rotate MFA factors (remove and re-add), check and reverse any recent profile changes (email, phone, recovery address, shipping), notify the service's fraud team, freeze or dispute unauthorized transactions with your bank or card issuer, and scan your device for malware before logging back in.
Back to glossary