Account Takeover (ATO)

Learn what account takeover (ATO) is, how it works, real-world examples, and best practices to prevent ATO attacks.

What is an account takeover?

An account takeover is when a threat actor gains unauthorized control of a legitimate user’s account and uses that access for fraud, data theft, or further intrusion.

In practical terms, account takeovers happen when someone signs in as an existing user and the system believes it. Attackers typically exploit weak or reused login credentials, steal session tokens, or bypass authentication controls to reach sensitive information. They then conduct high-impact actions such as changing payout details, placing fraudulent orders, exfiltrating data, or escalating privileges across interconnected systems.

According to Verizon’s 2025 DBIR, attacks against basic web apps involved stolen credentials in about 88% of cases, highlighting how often login credentials are the entry point.

How does an account takeover work?

Most ATOs follow a predictable chain of events: harvest credentials, test them at scale, bypass any defenses, then monetize or pivot to other systems.

The common steps of an account takeover

Credential harvesting using phishing attacks, infostealer malware, or data breaches that expose login credentials. MITRE ATT&CK lists credential stuffing as sub-technique T1110.004, where attackers replay breached username and password pairs to gain access.
Credential stuffing and password guessing at scale with bots and scripts. OWASP describes credential stuffing as automated injection of stolen username and password pairs into login forms to fraudulently gain access.
MFA bypass using adversary-in-the-middle phishing, fatigue prompts, or SIM swap attacks to intercept or coerce second factors. Microsoft reported a 146% year-over-year increase in adversary-in-the-middle phishing in 2024.
Session hijacking or token theft that lets an attacker act as the user without reauthenticating.
Monetization and movement such as changing bank details, transferring loyalty points, or pivoting into internal systems and cloud consoles via federated trust.

The sheer scale is daunting. Microsoft observed roughly 7,000 password attacks per second in 2024, more than double 2023, underscoring how automated the problem has become.

What are some real-world examples of account takeovers?

Recent ATO incidents have impacted consumer platforms, fintechs, and data infrastructure.

Examples to know

Snowflake customer data theft 2024: Mandiant reported a campaign in which attackers used credentials stolen by infostealer malware to access Snowflake customer instances. Reported downstream victims included Ticketmaster and Santander, illustrating how compromised login credentials can cascade into large data breaches and extortion.
23andMe credential stuffing 2023: Millions of records were exposed after attackers used reused passwords to access accounts. Multiple class-action settlement proposals reference the 2023 incident as credential stuffing driven, not a direct network intrusion.
DraftKings 2022 ATO, legal actions through 2024: Nearly 68,000 customer accounts were hijacked via credential stuffing, with arrests and charges announced in 2024. The company disclosed the attacks in its 2023 annual report filing.

How common or costly are account takeovers today?

ATO is widespread and costly, with losses often reported under broader cybercrime or fraud categories.

Current stats:

The 2025 DBIR notes that stolen credentials dominated basic web application attack patterns.
Cloudflare observed that 41% of successful logins across a large sample period involved compromised passwords, reflecting widespread reuse that fuels credential stuffing.
The FBI’s Internet Crime Complaint Center recorded $16 billion in reported cybercrime losses in 2024, a 33% rise over 2023, with phishing and related schemes representing the majority of attacks.

What signals indicate an account takeover in progress?

Signals include unusual login patterns, changes to user management settings, and risky post-login behavior.

Operational indicators

Impossible travel, new locations, or unfamiliar devices appearing at sign-in.
Spikes in failed logins followed by a surge of successful logins from the same IP range.
Rapid changes to access management or user management settings such as new admin roles, new API keys, or MFA resets.
Post-login behavior that touches sensitive information or monetization paths like payout changes, credential exports, or report downloads.

Which industries are most targeted?

Any consumer-facing web or mobile app is at risk, but companies are more likely to be targeted if they are ecommerce, fintech, gaming and media, or a data platform.

Why these sectors

They hold valuable PII and payment data, plus direct pathways to financial losses through stored balances and payout flows.
API traffic and high-volume login endpoints make automated attacks easier to scale. Akamai’s State of the Internet research and industry updates continue to document high bot traffic and billions of web attacks that include credential replay against retail and app logins.

What are the impacts of account takeovers?

Impacts range across direct financial losses, fraud, privacy harm, brand damage, and downstream compromise of partner systems.

Consequences:

Direct theft via wallet drains, refunds, and promo abuse.
Support costs, chargebacks, and regulatory exposure for privacy or data protection failures.
Trust erosion and customer churn after publicized incidents.
Lateral movement into back-office systems.

What are best practices for protecting against account takeovers?

An effective defense blends together strong authentication practices, account intelligence, and clear recovery processes.

Priority controls

Adopt phishing-resistant MFA or passkeys for both customers and admins, with step-up authentication for risky actions such as changing payout accounts or exporting data.
Harden passwords. Follow NIST guidance to screen new passwords against breached lists and avoid arbitrary complexity or frequent forced rotations that push users toward poor choices.
Detect and block bots. Use rate limiting, device fingerprinting, and behavioral analysis to stop credential stuffing and password spraying.
Instrument sign-in and post-login analytics. Watch for sudden changes to access management or user management data, anomalous purchases or refunds, and suspicious API usage.
Segment and minimize blast radius. Limit permissions by default, isolate high-risk actions, and demand reauthentication for sensitive changes.
Secure recovery flows. Lock down password resets and MFA resets with extra checks to prevent easy takeover through the back door.
Educate users about phishing attacks and password reuse, and notify them when a login occurs from a new device or location. Government advisories emphasize phishing-resistant authentication and layered controls.

How should teams respond if they suspect an account takeover?

Move fast to stop the session, verify the user, and contain any fraud or data exposure.

Response checklist

Kill sessions and temporarily lock the account while verifying the rightful owner.
Reset credentials and force re-auth, including re-binding MFA devices.
Review recent changes in user management and access management such as role updates, webhook destinations, payout details, and API tokens.
Inspect adjacent systems that trust the compromised account and rotate secrets.
Notify the user and, where applicable, regulators or partners, following incident response guidance.

How does Frontegg protect against account takeovers?

Frontegg gives you straightforward tools to keep accounts safe and spot trouble fast. You can turn on MFA and passkeys, add extra checks for sensitive actions, and use clear roles to limit what any account can do. Admins can view active sessions, sign users out, reset passwords, and review recent changes without waiting on engineering.

Protection also happens at the edges and inside the app. IP allowlists, risk signals, and rate limits reduce credential stuffing and other bot activity, and you can require a fresh login for high-risk moves like changing payout info or creating API keys. With Frontegg in place, teams enforce strong logins, monitor the right signals, and act quickly from a single admin surface, which reduces both the odds and the impact of account takeovers.

Other glossary items

reCAPTCHA Read now

Audit Logs Read now

Password Spraying Read now

Cookie	Duration	Description
_vis_opt_s	3 months 8 days	Visual Website Optimizer sets this cookie to detect if there are new to or returning to a particular test.
_vis_opt_test_cookie	session	Visual Website Optimizer creates this cookie to determine whether or not cookies are enabled on the user's browser.
li_gc	6 months	Linkedin set this cookie for storing visitor's consent regarding using cookies for non-essential purposes.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	6 months	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.

Cookie	Duration	Description
_gcl_au	3 months	Google Tag Manager sets the cookie to experiment advertisement efficiency of websites using their services.
_hjSession_*	1 hour	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hp2_ses_props.*	1 hour	Heap sets this cookie to store the timestamp and cookie domain or path.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.
_vwo_uuid_v2	1 year	This cookie is set by Visual Website Optimiser and calculates unique traffic on a website.
cb_anonymous_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.
cb_group_id	1 year	Clearbit sets this cookie to track page views and traits for Clearbit.

Cookie	Duration	Description
bcookie	1 year	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser IDs.
cb_user_id	1 year	Clearbit sets this cookie to collect data on visitors. This information is used to assign visitors into segments, making website advertising more relevant.

Cookie	Duration	Description
__Host-session	14 days	No description available.
__tld__	session	Description is currently not available.
_cfuvid	session	Description is currently not available.
_crowdcontrol_session_key	session	Description is currently not available.
_g2_session_id	session	Description is currently not available.
_hp2_hld346349427843107.1065080579	5 minutes	Description is currently not available.
_hp2_hld6722177740337317.1065080579	5 minutes	Description is currently not available.
_hp2_hld8090462093010520.1065080579	5 minutes	Description is currently not available.
cbtest	1 year	Description is currently not available.
debug	never	No description available.
events_distinct_id	session	Description is currently not available.
h1_device_id	1 year	Description is currently not available.
pfjscookies	1 year	Description is currently not available.