What is account takeover?

When a malicious party gains control of or access to a legitimate user's account, this is called an account takeover attack.

Learning Objectives

After reading this article you will be able to:

  • Define 'account takeover'
  • List the main account takeover attack vectors
  • Understand how to prevent and mitigate account takeover attacks

Related Content


Want to keep learning?

Subscribe to theNET, Cloudflare's monthly recap of the Internet's most popular insights!

Refer to Cloudflare's Privacy Policy to learn how we collect and process your personal data.

Copy article link

What is account takeover?

The average person has dozens of online accounts needed for access to both personal and business websites, applications, and systems. Account takeover attacks (as the name suggests) attempt to gain access to those accounts, allowing the attacker to steal data, deliver malware, or use the account’s legitimate access and permissions for other malicious purposes.

How do account takeovers occur?

For an account takeover attack to occur, the attacker needs access to the target account's authentication information — such as a username and password combination. Attackers can obtain this information in various ways, including:

  • Credential stuffing: Credential stuffing attacks use bots to automatically attempt to log in to a user account using a list of common or breached passwords. These attacks are possible because many user accounts are protected by weak or reused passwords — a major security issue.
  • Phishing: User credentials are a common target of phishing attacks, which often use malicious links to direct a user to a fake login page for a service, allowing the attacker to collect their login credentials.
  • Malware: Malware infections on a user’s computer can steal passwords in various ways. These include dumping authentication information from browser or system password caches or recording a user’s keystrokes as they authenticate to an account.
  • Application vulnerabilities: Users are not the only entities with accounts on an organization’s systems and networks. Applications also have accounts, and an attacker can exploit vulnerabilities in these accounts to take advantage of their access.
  • Stolen cookies: The cookies stored on a user's computer can store information about their login session to allow access to an account without a password. With access to these cookies, an attacker can take over a user’s session.
  • Hardcoded passwords: Applications commonly need access to various online accounts to perform their role. Sometimes, passwords to these accounts are stored in application code or configuration files, which may be exposed on GitHub or otherwise leaked.
  • Compromised API keys: API keys and other authentication tokens are designed to allow applications to access online accounts and services via an API. If these keys are accidentally uploaded to a GitHub repository or otherwise leaked, they can provide access to an organization’s account.
  • Network traffic sniffing: While most network traffic is encrypted and secure, some devices still use insecure protocols, such as Telnet. An attacker who can view this unencrypted network traffic can extract login credentials from it.

Impact of account takeover attacks

A successful account takeover attack grants the attacker the same access and permissions as the legitimate account owner. With this access, an attacker can take various actions, such as:

  • Data theft: Account takeover attacks can lead to the breach and exfiltration of vast amounts of sensitive, confidential, or protected classes of data like credit card numbers or personally identifiable information (PII).
  • Malware delivery: Account takeover attacks allow attackers to install and execute ransomware and other malware on corporate systems.
  • Follow-on attacks: Once an attacker gains access to a legitimate account, they can use that access to carry out further attacks. Sometimes, gaining access to a specific account is only done for this purpose (e.g. attackers may steal login credentials in the hope that the user has reused passwords across multiple accounts).
  • Lateral movement: A compromised account can provide an entry point for an attacker to an otherwise secure network. From this initial starting point, the attacker can expand their access or escalate privileges across other corporate systems, a process called lateral movement.
  • Financial profit: Instead of using the compromised account themselves, the attacker may sell access to it on the dark web.

How to defend against account takeover attacks

Organizations can take several steps to prevent account takeover and minimize the impact of these attacks.

Account takeover prevention

Defense-in-depth is the best approach to take when addressing the risks of account takeover attacks. Account takeover attacks commonly take advantage of poor account security practices. Some defenses that companies can put into place to prevent account takeover attacks include:

  • Strong password policies: Many account takeover attacks take advantage of weak and reused passwords. Defining and enforcing a strong password policy — including testing if user passwords have been exposed in a breach — can make credential stuffing and password cracking attacks more difficult to perform.
  • Phishing protection: Phishing attacks are a common method for attackers to steal user passwords. By filtering risky emails or blocking suspicious domains via Internet filtering, an organization reduces the risk of users inadvertently compromising their credentials.
  • Multi-factor authentication (MFA): MFA uses multiple factors to authenticate a user, such as the combination of a password and a one-time password (OTP) generated by an authenticator app, or the use of hard keys in addition to a password. Enforcing MFA use on all accounts makes it harder for an attacker to take advantage of a compromised password.
  • Application security testing: API keys and authentication tokens exposed in APIs can grant attackers access to an organization’s online accounts. Enforcing strong authentication practices and scanning application code and configuration files for authentication material can protect against this.
  • Login and API security: Credential stuffers try many different username and password combinations to try to guess valid login credentials. Login and API security solutions can help to identify and block these attacks.

Account takeover attack mitigation

Account takeover prevention is important to managing the risk of account takeover attacks, but it may not always be effective. For example, a phishing attack on a user's personal email account may leak login credentials that allow an attacker to log in to that same user's corporate account.

In addition to the prevention strategies listed above, organizations can minimize the harm caused by these attacks using the following approaches:

  • Behavioral analytics: With access to a user's account, an attacker will likely engage in anomalous activities, such as exfiltrating large volumes of sensitive data or deploying malware. Ongoing monitoring of an account's usage after authentication can enable an organization to detect and respond to successful account takeover attacks.
  • Zero Trust security: A default-deny, Zero Trust security approach makes it extremely difficult for attackers to access their targeted application or resource, even if they possess compromised credentials. An attacker's request to gain access to corporate applications would need to be verified based on identity, device posture, and other contextual signals before access is granted. An organization with rigorous and granular Zero Trust policies can detect suspicious signals – like an unusual geography of the request or that the device making the request is infected – and deny the attacker's access request.

Cloudflare Zero Trust enables organizations to allow remote access to applications and systems while managing the risk of account takeover attacks. With Zero Trust network access (ZTNA), users are permitted access to specific resources only after verifying their identity, context, and compliance with corporate policy.