What is account takeover (ATO)?
Account takeover is the success of a malicious third-party attacker gaining access to a user’s account via stolen credentials for the purpose of fraud. This happens when a bad actor acquires another person’s login credentials, most often by leveraging reused or similar passwords from previously breached sites, and gains access to existing accounts – which may unlock corporate data, sensitive PII, funds, loyalty points and more. Criminals use those stolen assets to commit fraud, make unauthorized purchases, and perpetrate business email compromise (BEC), among other tactics, then eventually package the credentials for sale on the dark web, perpetuating the profit cycle.
The result can be devastating to the victim and to the organization’s reputation, operations, and bottom line.
What is account takeover (ATO)?
In general, the account takeover definition is the success of a malicious third-party attacker gaining access to a user’s account via stolen credentials for the purpose of fraud. This happens when a bad actor acquires another person’s login credentials, most often by leveraging reused or similar passwords from previously breached sites, and gains access to existing accounts – which may unlock corporate data, sensitive PII, funds, loyalty points and more. Criminals use those stolen assets to commit fraud, make unauthorized purchases, and perpetrate business email compromise (BEC), among other tactics, then eventually package the credentials for sale on the dark web, perpetuating the profit cycle.
The result can be devastating to the victim and to the organization’s reputation, operations, and bottom line.
What is an account takeover (ATO) attack?
Account takeover or ATO fraud attacks can take many forms, but generally come in one of two flavors:
Targeted account takeover attacks
- What: Highly effective, difficult to detect manual attacks like phishing, social engineering, SIM swapping, extortion, blackmail.
- When: Occur early in the breach timeline, usually in the first 18-24 months after the breach. During this time, criminals keep the stolen data within a small group that monetizes the credentials before selling them on the dark web, usually for identity theft purposes.
- Result: Huge potential losses. SpyCloud customers report 80% of their losses stemming from targeted ATO attacks.
Automated credential stuffing attacks
- What: High-volume attacks that use thousands of credential pairings to attempt to login to websites and even exposed endpoints on corporate networks.
- When: Occur long after the breach, when older stolen credentials have been packaged for sale and trade on the dark web.
- Result: A high enough success rate that it remains a popular attack type for even unsophisticated criminals. SpyCloud customers report 20% of their losses stemming from these attacks.
Types of account takeover fraud
The use of stolen credentials is still the most common initial access vector. But it’s not just credentials that are leaked in breaches; personally identifiable information is up for grabs and is used for account takeover fraud. In fact, SpyCloud recovered nearly 45B pieces of PII in 2024 alone – a 39% increase YoY – which speaks to just how much stolen identity data is in the hands of criminals. The account takeover fraud definition is when bad actors gain unauthorized access to online accounts to perpetrate fraud.
What is account takeover fraud and what do criminals do with all that stolen data? Some examples include:
- Drain financial accounts, crypto wallets or loyalty point balances: Criminals will immediately wire or transfer the balance from victims’ accounts.
- Make fraudulent purchases: Criminals purchase goods using stolen or stored credit card or gift card data.
- Create synthetic identities: Criminals create a new identity with a combination of fake and legitimate (usually stolen) data. Often deployed in long-term scams to obtain lines of credit.
- Break into victims’ work accounts: Criminals will try to locate and steal corporate IP and deploy business email compromise scams, which resulted in $2.4B in losses in 2021 alone.
- SIM swap victims to bypass MFA: Criminals transfer a victim’s phone number to their own SIM card in order to bypass multi-factor authentication and take over sensitive accounts.
How do I know I’ve been a victim of an ATO attack?
One day, you might be suddenly locked out of your account because a bad actor has taken it over and changed the credentials. Or you may notice a strange transaction on a credit card statement – a purchase you didn’t get an email confirmation for because the criminal changed the email address associated with the account to stop you from receiving notifications. These are just some examples of account takeover identity theft.
How account takeover has evolved: beyond stolen passwords
Account takeover historically relied on stolen or guessed passwords – credentials obtained from data breaches, phishing campaigns, or brute-force attacks. That model still exists, but it now represents only part of the ATO threat landscape. The more dangerous and harder-to-detect form of account takeover today bypasses the authentication layer entirely.
According to SpyCloud’s 2026 Annual Identity Exposure Report, 80% of exposed corporate credentials contained plaintext passwords – significantly lowering the barrier to immediate account takeover. But the more consequential finding is that attackers are increasingly combining credential data with session cookies and device fingerprints stolen by infostealer malware to conduct post-authentication account takeover that defeats MFA entirely.
Infostealer malware harvests not just passwords but active session cookies from every browser on an infected device. These cookies represent completed authentication events – meaning an attacker who possesses them does not need to know the account password, complete an MFA challenge, or trigger any authentication-layer security control. From the application’s perspective, the attacker is continuing a session that was legitimately opened by the account owner.
The primary ATO attack vectors in 2026
Credential-based ATO uses stolen username-password pairs – sourced from data breaches, phishing attacks, or infostealer logs – to authenticate directly. This is what credential stuffing attacks automate at scale: testing stolen credentials across thousands of login portals simultaneously.
Session hijacking-based ATO uses stolen session cookies to bypass authentication entirely. The attacker imports a valid cookie into their browser and lands directly inside an authenticated session –> see session hijacking for the full attack breakdown.
Targeted ATO combines breach data, infostealer logs, and OSINT to manually compromise high-value accounts – executives, finance personnel, privileged administrators – where the return justifies the investment in manual effort. SpyCloud customer data shows that targeted ATO accounts for 80% of customer losses, versus 20% from automated credential stuffing.
Why MFA doesn't fully prevent account takeover
When an employee’s device is infected by infostealer malware, their active sessions across enterprise applications – Microsoft 365, Salesforce, Okta, VPN portals – are exposed simultaneously. The correct remediation is not just a password reset: all active session tokens must be invalidated, and the exposure must be detected before the stolen cookies are used.
SpyCloud research shows that nearly half of all accounts taken over in 2025 had MFA configured at the time of compromise. MFA stops credential-based attacks when the attacker only has the password. It does not stop session hijacking-based ATO, where the attacker presents a stolen post-authentication cookie and bypasses the login flow entirely. Effective ATO prevention requires closing this gap with post-authentication session monitoring and darknet exposure detection.
How to prevent account takeover
Preventing account takeover can’t be done with behavior-based technologies, like bot mitigation, alone. Those solutions are only meant to stop automated account takeover attacks that occur years after the breach takes place using old lists of previously stolen credentials (called “combolists”).
Truly stopping ATO/account takeover requires identifying compromised accounts early, before criminals have time to use the stolen credentials, test them against other accounts, or sell them on the dark web. The only way to do that is to have access to a comprehensive, constantly updated, real-time database of breach data.
Stop account takeover before it happens.
Our Check Your Exposure tool shows what data tied to your domain is already circulating in criminal markets.
FAQs
The most common causes of account takeover are stolen credentials from data breaches and infostealer malware infections. Infostealer malware is increasingly significant because it captures not just passwords but active session cookies, device fingerprints, and authentication tokens – enabling attackers to bypass MFA entirely by hijacking already-authenticated sessions. SpyCloud’s 2026 Annual Identity Exposure Report found 5.3 billion exposed credential pairs circulating in the criminal underground, with 80% of corporate credentials exposed as plaintext.
MFA significantly raises the barrier for credential-based account takeover, but it does not prevent session hijacking-based ATO. When attackers steal session cookies via infostealer malware or adversary-in-the-middle phishing, they bypass the authentication process entirely – presenting a valid post-authentication token rather than attempting to log in. SpyCloud research shows that nearly half of compromised accounts in 2025 had MFA configured at the time of takeover, confirming that MFA alone is insufficient without post-authentication session monitoring and darknet exposure detection.