What is Account Takeover Attacks (ATO)

What is an Account Takeover (ATO) Attack?

Account takeover or ATO fraud attacks can take many forms, but generally come in one of two flavors: 

Targeted Account Takeover

    • What: Highly effective, difficult to detect manual attacks like phishing, social engineering, SIM swapping, extortion, blackmail.
    • When: Occur early in the breach timeline, usually in the first 18-24 months after the breach. During this time, criminals keep the stolen data within a small group that monetizes the credentials before selling them on the dark web, usually for identity theft purposes.
    • Result: Huge potential losses. SpyCloud customers report 80% of their losses stemming from targeted ATO attacks.

Automated Credential Stuffing Attacks

    • What: High-volume attacks that use thousands of credential pairings to attempt to login to websites and even exposed endpoints on corporate networks.
    • When: Occur long after the breach, when older stolen credentials have been packaged for sale and trade on the dark web.
    • Result: A high enough success rate that it remains a popular attack type for even unsophisticated criminals. SpyCloud customers report 20% of their losses stemming from these attacks.

Types of Account Takeover Fraud

The use of stolen credentials is the #1 ATO attack technique. But it’s not just credentials that are leaked in breaches; personally identifiable information is up for grabs and is used for account takeover fraud. In fact, SpyCloud recovered nearly 9B pieces of PII in 2022 alone, which speaks to just how much data is in the hands of criminals via third-party breaches. The account takeover fraud definition is when bad actors gain unauthorized access to online accounts to perpetrate fraud. 

What is account takeover fraud and what do criminals do with all that stolen data? Some examples include:

    • Drain financial accounts, crypto wallets or loyalty point balances
      …where criminals will immediately wire or transfer the balance from victims’ accounts.
    • Make fraudulent purchases
      …where criminals purchase goods using stolen or stored credit card or gift card data.
    • Create synthetic identities
      …where criminals create a new identity with a combination of fake and legitimate (usually stolen) data. Often deployed in long-term scams to obtain lines of credit.
    • Break into victims’ work accounts
      …where criminals will try to locate and steal corporate IP and deploy business email compromise scams, which resulted in $2.4B in losses in 2021 alone.
    • SIM swap victims to bypass MFA
      …where criminals transfer a victim’s phone number to their own SIM card in order to bypass multi-factor authentication and take over sensitive accounts.

How Do I Know I've Been a Victim of an ATO Attack?

One day, you might be suddenly locked out of your account because a bad actor has taken it over and changed the credentials. Or you may notice a strange transaction on a credit card statement – a purchase you didn’t get an email confirmation for because the criminal changed the email address associated with the account to stop you from receiving notifications. These are just some examples of account takeover identity theft.

You might receive an email from your bank or credit card company that says your information has been exposed in a breach. But often, this is months or years after your data has been in criminals’ hands.

The truth is, even the most sophisticated companies and cybersecurity teams may not realize for a long time that they have been breached, putting users’ data at risk. Early detection and continuous monitoring for compromised credentials is key.

Check if your email has been compromised & sign up for free breach monitoring

How to Prevent Account Takeover

Preventing account takeover can’t be done with behavior-based technologies, like bot mitigation, alone. Those solutions are only meant to stop automated account takeover attacks that occur years after the breach takes place using old lists of previously stolen credentials (called “combo lists”).

Truly stopping ATO/account takeover requires identifying compromised accounts early, before criminals have time to use the stolen credentials, test them against other accounts, or sell them on the dark web. The only way to do that is to have access to a comprehensive, constantly updated, real-time database of breach data.

Timeline of a data breach showing what cybercriminals do with stolen credentials, starting with targeted account takeover attacks of high-value victim. Ultimately, stolen logins will end up on the deep and dark web and used in high-volume credential stuffing attacks.
0 +
0 +


0 +


0 +
Data Types

With SpyCloud, you get enterprise-level account takeover prevention powered by the most up-to-date and actionable breach data.

SpyCloud offers the largest database of recaptured data in the world, combined with the earliest possible data recovery available. Our proprietary engine quickly ingests data from breaches, malware-infected devices, and other underground sources, then cleanses and enriches the data – adding context to the records so you understand the severity of the exposures (the source, breach description, and the actual password in plaintext). Our customers get notifications of compromised accounts and passwords far sooner than any other provider.

Ultimately, we narrow your exposure window by 18++ months, preventing account takeover, safeguarding your organization from the theft of data and IP, and protecting your users from business email compromise and fraudulent transactions.


Top 10 Travel Booking Site

Featured Resources

Learn how SpyCloud protects your business from cyberattacks leveraging stolen data.