Account Takeover 101

The Story

Tuesday, 6:14 AM. Maria Torres wakes up to an email she doesn't understand.

"Congratulations! Your MarketHub Capital loan of $15,000 has been approved and deposited to your linked bank account."

Maria runs a small jewelry business on MarketHub, one of those massive online marketplaces where anyone can sell. She's spent three years building her shop. 2,400 reviews. 4.8 stars. Handmade earrings and necklaces, shipped from her garage in Austin.

She didn't apply for a loan.

She tries to log in. Password rejected. She requests a reset. The confirmation email goes to an address she doesn't recognize.

Maria calls her bank. No deposit. She calls MarketHub support and waits on hold for 47 minutes. When she finally reaches someone, the story comes together:

The attacker didn't steal Maria's products. They didn't run stolen credit cards through her shop. They stole something more valuable: her three years of reputation. MarketHub's lending algorithm saw a seller with consistent sales, positive reviews, and a low chargeback rate. The loan was approved automatically.

But the loan wasn't the only damage. Maria's shop was still running. Orders were still coming in. Customers were still paying. And every dollar was flowing to a bank account she'd never seen. By the time she reached support, three days of sales (about $1,800) had already been diverted.

MarketHub's fraud team froze her account while they investigated. Standard procedure, they said. The investigation would take 7-10 business days. Maybe longer.

For the next two weeks, Maria's shop sat frozen. No new orders. No payouts. Regular customers messaged asking why their favorite jewelry store had disappeared. Some found other sellers. Maria watched her holiday season revenue evaporate while she filled out fraud affidavits and waited for callbacks that never came.

When MarketHub finally restored her account, they forgave the loan. But they couldn't give back the two weeks of lost sales, the customers who'd moved on, or the momentum she'd spent three years building.

This story is fictional, but the patterns are real.

---

Why This Matters

In Common Fraud Types, you learned that account takeover (ATO) is when criminals gain unauthorized access to a victim's account. This module goes deeper into how these attacks actually work.

Account takeover isn't just about stolen passwords. It's a full chain of events: criminals obtain credentials, test them at scale, and then extract value from every account they can access. Understanding this chain is essential for investigating ATO incidents.

The numbers tell the story. Since January 2025, the FBI's Internet Crime Complaint Center received over 5,100 ATO complaints with losses exceeding $262 million.^[1] And that's just what gets reported. Many victims never realize their accounts were compromised until the damage is done.

The Verizon 2025 Data Breach Investigations Report found that compromised credentials were the initial access vector in 22% of all breaches, and on a typical day, 19% of authentication attempts across enterprise systems are credential stuffing attacks.^[2] Credentials are the most reliable way into any system. Why hack through sophisticated defenses when you can just log in?

---

How Account Takeover Works

The Value in Your Accounts

Not all accounts are equal targets. Attackers prioritize based on what they can extract:

Maria's account was valuable not because it held money, but because it held creditworthiness. Three years of positive sales history made her eligible for a $15,000 loan. The attacker didn't need to sell anything or run stolen cards. They just borrowed against Maria's reputation.

As marketplaces expand into financial services (seller loans, instant payouts, buy-now-pay-later), the value of a compromised seller account goes up. A good seller account isn't just a shop. It's a credit profile.

Email accounts sit at the top of this hierarchy for a different reason. Control someone's primary email and you can reset passwords across dozens of other services. A compromised Gmail or Outlook account can cascade into total digital identity theft.

Where Credentials Come From

Remember credential stuffing from Common Fraud Types? Attackers test stolen username/password combinations across multiple sites, hoping people reused their passwords. But stuffing is just one source. Here's the full picture:

Data breaches expose credentials in bulk. When a company gets hacked, their user database often ends up for sale on criminal marketplaces. These "combo lists" contain millions of email/password pairs. Maria's password came from a breach at a cooking forum she'd signed up for years ago and forgotten about.

Phishing tricks people into entering credentials on fake login pages. A convincing email from "MarketHub Security" links to a site that looks identical to the real thing, but the login form sends everything straight to attackers.

Infostealer malware runs silently on infected computers, capturing every password typed or saved in browsers. One careless download can expose credentials for every site a person uses.

Social engineering manipulates support staff into resetting passwords or disabling security features. An attacker calls pretending to be the account owner, claims they lost their phone, and talks their way into access.

The Timeline of a Stolen Credential

There's a gap between when your password leaks and when someone uses it against you. Understanding this timeline explains why ATO attacks can seem to come from nowhere:

1. Breach occurs (Day 0): A company database is compromised
2. Data extracted (Days 1-30): Attackers copy user records
3. Data sold (Weeks to months): Credentials appear on criminal markets
4. Testing begins (Ongoing): Bots try combinations across sites
5. Successful login (Variable): Your reused password works somewhere
6. Account takeover (Minutes): Attacker changes password and takes control

Maria's password was probably stolen months or years before her MarketHub account was hit. The attacker who logged in likely bought a batch of credentials, ran them through automated tools, and her account was one of many that worked.

Inside a Credential Stuffing Attack

Credential stuffing has a low success rate, typically between 0.2% and 2%.^[3] That sounds tiny, but attackers work at massive scale. Run a million stolen credentials and even a 0.5% success rate means 5,000 compromised accounts.

Here's what makes credential stuffing economically viable:

• Credentials are cheap: Leaked combo lists cost almost nothing
• Automation handles volume: Bots test thousands of logins per minute
• Proxies hide the source: Requests come from different IP addresses
• Residential proxies look legitimate: Traffic appears to come from normal homes
• Success compounds: One email account opens doors to many others

The attacker didn't target Maria specifically. They sprayed credentials at marketplace sites, retail sites, banks. Whoever reused their password became a victim. Maria just happened to have a valuable account with a credit line attached.

What Happens After Login

Once attackers get into an account, they move fast. The sequence is predictable:

Lock out the owner: Change the password immediately. Change the recovery email and phone number. Now the real owner can't get back in or receive security alerts.

Assess the value: What's in this account? Seller reputation? Stored payment methods? Pending balance? Loan eligibility? Connected bank account for payouts?

Extract value: For Maria's seller account, the attacker changed the payout destination and took out a loan against her reputation. For a retail account, they might buy gift cards with stored payment methods. For a bank account, they transfer funds directly.

Work quickly: The longer the attack runs before detection, the more value can be extracted. Maria's attacker finished the loan application before she even knew something was wrong.

Monetizing Stolen Accounts

Different accounts get monetized differently. Understanding these patterns helps you see what attackers are actually after:

Seller accounts offer multiple cash-out paths. Attackers can divert payouts from ongoing sales, take out loans against the seller's history, or use the account's reputation to run scams. The cleaner the seller's history, the more options attackers have. Maria's spotless three-year record made her a perfect target.

Retail accounts with stored payment cards become shopping tools. Attackers buy gift cards (easy to resell), electronics (ship to a drop address as discussed in Criminal Infrastructure), or digital goods. Gift cards are particularly attractive because they convert to cash quickly through resale markets.

Bank accounts allow direct transfers, but these are harder to cash out. Attackers might use Zelle or wire transfers to move money to accounts they control, or add themselves as authorized users on credit cards.

Email accounts are often more valuable than they appear. Access to someone's primary email means access to password reset flows for every other service they use. One compromised inbox can cascade into dozens of compromised accounts.

Session Tokens and Session Hijacking

Passwords aren't the only way into accounts. Every time you log in to a website, your browser receives a session token, a small piece of data that proves you've already authenticated. Think of it like a wristband at an event. Once you're in, you don't show your ticket again. You just flash the wristband.

Session tokens are stored as cookies in your browser. If an attacker can steal that cookie, they can impersonate your logged-in session without ever knowing your password. They're not breaking in. They're walking in with your wristband.

Session hijacking can happen through:

• Malware that extracts cookies from your browser
• Man-in-the-middle attacks on unsecured networks
• Cross-site scripting (XSS) vulnerabilities in websites
• Physical access to an unlocked computer

Unlike credential stuffing, session hijacking bypasses login entirely. The attacker inherits an already-authenticated session. If Maria had logged into MarketHub on an infected computer, the attacker could have grabbed her session cookie and never needed her password at all.

---

Key Takeaways

• Account takeover is a chain of events, from credential theft to sale to testing to exploitation. Understanding each step helps you see where evidence exists.
• Reputation and credit history are attackable assets. Seller accounts, aged accounts, and accounts with lending access are high-value targets because they come with built-in trust or borrowing power.
• Credential stuffing works through volume, not precision. Success rates are tiny, but scale makes it profitable. You don't need to be targeted to become a victim.
• Attackers move fast after login. Password changes, recovery info swaps, and loan applications happen in hours. The damage is often done before the victim wakes up.
• Session tokens are credentials too. Stealing a logged-in session bypasses password checks entirely.

What's next: The Account Security article covers authentication fundamentals, and Advanced Authentication explores how modern login systems like OAuth create new attack surfaces. The Attack Methods article takes a deeper look at specific ATO techniques including SIM swapping and social engineering.

---

Key Terms

For complete definitions, see the ATO Glossary.

---

References

1. FBI IC3 Public Service Announcement: Account Takeover Fraud (November 2025)↗

2. Verizon 2025 DBIR Credential Stuffing Research↗ (22% of breaches used credentials as initial access; 19% of auth attempts are credential stuffing)

3. Shape Security credential stuffing research↗ (0.2-2% success rate)

---

Generated with AI assistance. Reviewed by humans for accuracy.