Account Takeover (ATO)
Also known as: ATO, Account compromise
Account takeover (ATO) is when an attacker gains unauthorized control of a legitimate user account, typically using stolen credentials or session cookies. ATO enables fraud, data theft, and lateral movement, and infostealer-sourced data is a major driver of it.
What is account takeover?
Account takeover occurs when a malicious actor logs into and controls an account that belongs to someone else. They may change recovery details to lock out the real owner, drain funds, exfiltrate data, or use the account as a foothold for further attacks.
How attackers achieve ATO
ATO is commonly achieved with compromised credentials from infostealer logs or breaches, with stolen session cookies that bypass MFA, through credential stuffing, and via phishing. Infostealers are especially effective because they provide both credentials and the cookies needed to sidestep additional verification.
VantaPrism reduces ATO risk by detecting compromised credentials and stolen session cookies for an organisation's users early, so accounts can be secured before takeover occurs.
Check Your Exposure arrow_forwardFrequently Asked Questions
How do attackers commit account takeover with cookies?
What are signs of account takeover?
Related Terms
Compromised credentials are usernames and passwords that have been exposed to unauthorized parties — frequently throu…
Session hijacking is the takeover of an authenticated session by stealing and reusing its session token or cookie. Be…
Cookie theft is the stealing of browser cookies — especially authenticated session cookies — so attackers can imperso…
Credential stuffing is an automated attack that takes username/password pairs leaked from one source and tries them e…
Infostealer malware is a category of malicious software designed to silently harvest sensitive data — passwords, sess…