Account Takeover (ATO)

Learn what account takeover (ATO) is, how it works, real-world examples, and best practices to prevent ATO attacks.

What is an account takeover?

An account takeover is when a threat actor gains unauthorized control of a legitimate user’s account and uses that access for fraud, data theft, or further intrusion.

In practical terms, account takeovers happen when someone signs in as an existing user and the system believes it. Attackers typically exploit weak or reused login credentials, steal session tokens, or bypass authentication controls to reach sensitive information. They then conduct high-impact actions such as changing payout details, placing fraudulent orders, exfiltrating data, or escalating privileges across interconnected systems. 

According to Verizon’s 2025 DBIR, attacks against basic web apps involved stolen credentials in about 88% of cases, highlighting how often login credentials are the entry point.

How does an account takeover work?

Most ATOs follow a predictable chain of events: harvest credentials, test them at scale, bypass any defenses, then monetize or pivot to other systems.

The common steps of an account takeover

  1. Credential harvesting using phishing attacks, infostealer malware, or data breaches that expose login credentials. MITRE ATT&CK lists credential stuffing as sub-technique T1110.004, where attackers replay breached username and password pairs to gain access.
  2. Credential stuffing and password guessing at scale with bots and scripts. OWASP describes credential stuffing as automated injection of stolen username and password pairs into login forms to fraudulently gain access.
  3. MFA bypass using adversary-in-the-middle phishing, fatigue prompts, or SIM swap attacks to intercept or coerce second factors. Microsoft reported a 146% year-over-year increase in adversary-in-the-middle phishing in 2024. 
  4. Session hijacking or token theft that lets an attacker act as the user without reauthenticating.
  5. Monetization and movement such as changing bank details, transferring loyalty points, or pivoting into internal systems and cloud consoles via federated trust.

The sheer scale is daunting. Microsoft observed roughly 7,000 password attacks per second in 2024, more than double 2023, underscoring how automated the problem has become.

What are some real-world examples of account takeovers?

Recent ATO incidents have impacted consumer platforms, fintechs, and data infrastructure.

Examples to know

  • Snowflake customer data theft 2024: Mandiant reported a campaign in which attackers used credentials stolen by infostealer malware to access Snowflake customer instances. Reported downstream victims included Ticketmaster and Santander, illustrating how compromised login credentials can cascade into large data breaches and extortion.
  • 23andMe credential stuffing 2023: Millions of records were exposed after attackers used reused passwords to access accounts. Multiple class-action settlement proposals reference the 2023 incident as credential stuffing driven, not a direct network intrusion.
  • DraftKings 2022 ATO, legal actions through 2024: Nearly 68,000 customer accounts were hijacked via credential stuffing, with arrests and charges announced in 2024. The company disclosed the attacks in its 2023 annual report filing.

How common or costly are account takeovers today?

ATO is widespread and costly, with losses often reported under broader cybercrime or fraud categories.

Current stats:

What signals indicate an account takeover in progress?

Signals include unusual login patterns, changes to user management settings, and risky post-login behavior.

Operational indicators

  • Impossible travel, new locations, or unfamiliar devices appearing at sign-in.
  • Spikes in failed logins followed by a surge of successful logins from the same IP range.
  • Rapid changes to access management or user management settings such as new admin roles, new API keys, or MFA resets.
  • Post-login behavior that touches sensitive information or monetization paths like payout changes, credential exports, or report downloads.

Which industries are most targeted?

Any consumer-facing web or mobile app is at risk, but companies are more likely to be targeted if they are ecommerce, fintech, gaming and media, or a data platform.

Why these sectors

  • They hold valuable PII and payment data, plus direct pathways to financial losses through stored balances and payout flows.
  • API traffic and high-volume login endpoints make automated attacks easier to scale. Akamai’s State of the Internet research and industry updates continue to document high bot traffic and billions of web attacks that include credential replay against retail and app logins.

What are the impacts of account takeovers?

Impacts range across direct financial losses, fraud, privacy harm, brand damage, and downstream compromise of partner systems.

Consequences:

  • Direct theft via wallet drains, refunds, and promo abuse.
  • Support costs, chargebacks, and regulatory exposure for privacy or data protection failures.
  • Trust erosion and customer churn after publicized incidents.
  • Lateral movement into back-office systems.

What are best practices for protecting against account takeovers?

An effective defense blends together strong authentication practices, account intelligence, and clear recovery processes.

Priority controls

  • Adopt phishing-resistant MFA or passkeys for both customers and admins, with step-up authentication for risky actions such as changing payout accounts or exporting data.
  • Harden passwords. Follow NIST guidance to screen new passwords against breached lists and avoid arbitrary complexity or frequent forced rotations that push users toward poor choices.
  • Detect and block bots. Use rate limiting, device fingerprinting, and behavioral analysis to stop credential stuffing and password spraying. 
  • Instrument sign-in and post-login analytics. Watch for sudden changes to access management or user management data, anomalous purchases or refunds, and suspicious API usage.
  • Segment and minimize blast radius. Limit permissions by default, isolate high-risk actions, and demand reauthentication for sensitive changes.
  • Secure recovery flows. Lock down password resets and MFA resets with extra checks to prevent easy takeover through the back door.
  • Educate users about phishing attacks and password reuse, and notify them when a login occurs from a new device or location. Government advisories emphasize phishing-resistant authentication and layered controls.

How should teams respond if they suspect an account takeover?

Move fast to stop the session, verify the user, and contain any fraud or data exposure.

Response checklist

  • Kill sessions and temporarily lock the account while verifying the rightful owner.
  • Reset credentials and force re-auth, including re-binding MFA devices.
  • Review recent changes in user management and access management such as role updates, webhook destinations, payout details, and API tokens.
  • Inspect adjacent systems that trust the compromised account and rotate secrets.
  • Notify the user and, where applicable, regulators or partners, following incident response guidance.

How does Frontegg protect against account takeovers?

Frontegg gives you straightforward tools to keep accounts safe and spot trouble fast. You can turn on MFA and passkeys, add extra checks for sensitive actions, and use clear roles to limit what any account can do. Admins can view active sessions, sign users out, reset passwords, and review recent changes without waiting on engineering.

Protection also happens at the edges and inside the app. IP allowlists, risk signals, and rate limits reduce credential stuffing and other bot activity, and you can require a fresh login for high-risk moves like changing payout info or creating API keys. With Frontegg in place, teams enforce strong logins, monitor the right signals, and act quickly from a single admin surface, which reduces both the odds and the impact of account takeovers.