ATO Fundamentals
Essential foundation every fraud professional needs to know about account takeover attacks
By Benjamin, Fraud Attacks · Updated
Account takeover is the unauthorized control of a legitimate user's account, almost always built from credentials sourced through breaches, phishing, or infostealer malware. Once an attacker is logged in as the real owner, payouts, stored payment methods, and creditworthiness all become extractable. This article covers where stolen credentials come from, how credential stuffing turns leaked passwords into compromised accounts, and the post-login playbook attackers run before the owner notices.
The Story
Tanya pulled up the next case in her Tuesday queue. Seller loan application and payout account change in the same weekend. That combination usually meant one thing.
The shop belonged to Maria, a jewelry seller out of Austin. Three years on the platform, 2,400 reviews, 4.8 stars.
She opened the account history. Sunday night at 11:32, someone logged in from a Lithuanian IP. Password change two minutes later. Recovery email changed two minutes after that.
Credential stuffing hit. The new recovery email had been created the same day.
At 11:41, they'd swapped the payout bank account to something in Florida. Monday morning, they applied for a MarketHub Capital loan. Auto-approved for $15,000 based on Maria's three years of clean sales history.
Money hit the Florida account Monday at 3 PM. Maria didn't notice until Tuesday morning when she got the congratulations email for a loan she'd never applied for.
By then, her password was locked and the recovery email went to them. She'd spent an hour on hold with support while her orders kept processing. Three days of sales, about $1,800, flowing to a bank account she'd never seen.
They hadn't stolen her products. They'd stolen her reputation. The lending algorithm saw consistent sales and low chargebacks. It didn't know the person logging in wasn't her.
"Another ATO into a seller loan," Tanya said to Raj at the next desk. "Fifteen grand to Florida. Gone by now."
"They never take out a loan they plan to pay back."
This story is fictional, but the patterns are real.
Why This Matters
In Common Fraud Types, you learned that account takeover (ATO) is when criminals gain unauthorized access to a victim's account. This module goes deeper into how these attacks actually work.
Account takeover isn't just about stolen passwords. It's a full chain of events: criminals obtain credentials, test them at scale, and then extract value from every account they can access. Understanding this chain is essential for investigating ATO incidents.
The numbers tell the story. Since January 2025, the FBI's Internet Crime Complaint Center received over 5,100 ATO complaints with losses exceeding $262 million.[1] And that's just what gets reported. Many victims never realize their accounts were compromised until the damage is done.
The Verizon 2025 Data Breach Investigations Report found that compromised credentials were the initial access vector in 22% of all breaches, and on a typical day, 19% of authentication attempts across the organizations they analyzed are credential stuffing attacks (closer to 25% at enterprise-sized companies).[2] Credentials are the most reliable way into any system. Why hack through sophisticated defenses when you can just log in?
How Does Account Takeover Work?
Why Are Some Accounts Worth More?
Not all accounts are equal targets. Attackers prioritize based on what they can extract:
| Account Type | What Attackers Want |
|---|---|
| Marketplace seller | Payout diversion, loan fraud, reputation for scams |
| Bank/brokerage | Direct fund transfers |
| Email (especially primary) | Password resets for other accounts |
| Retail (Amazon, etc.) | Stored payment cards, gift card purchases |
| Crypto exchange | Withdraw to external wallet |
| Social media | Spam distribution, scam promotion |
Maria's account was valuable not because it held money, but because it held creditworthiness. Three years of positive sales history made her eligible for a $15,000 loan. The attacker didn't need to sell anything or run stolen cards. They just borrowed against Maria's reputation.
As marketplaces expand into financial services (seller loans, instant payouts, buy-now-pay-later), the value of a compromised seller account goes up. A good seller account isn't just a shop. It's a credit profile.
Email accounts sit at the top of this hierarchy for a different reason. Control someone's primary email and you can reset passwords across dozens of other services. A compromised Gmail or Outlook account can cascade into total digital identity theft.
Where Do Stolen Credentials Come From?
Remember credential stuffing from Common Fraud Types? Attackers test stolen username/password combinations across multiple sites, hoping people reused their passwords. But stuffing is just one source. Here's the full picture:
Data breaches expose credentials in bulk. When a company gets hacked, their user database often ends up for sale on criminal marketplaces. These "combo lists" contain millions of email/password pairs. Maria's password came from a breach at a cooking forum she'd signed up for years ago and forgotten about.
Phishing tricks people into entering credentials on fake login pages. A convincing email from "MarketHub Security" links to a site that looks identical to the real thing, but the login form sends everything straight to attackers. Standards like SPF, DKIM, and DMARC raise the bar for impersonation, but they do not block look-alike domains; email authentication is one control in a wider stack.
Infostealer malware runs silently on infected computers, capturing every password typed or saved in browsers. One careless download can expose credentials for every site a person uses.
Social engineering manipulates support staff into resetting passwords or disabling security features. An attacker calls pretending to be the account owner, claims they lost their phone, and talks their way into access. The patterns of urgency and authority these calls rely on are covered in social engineering basics.
The Timeline of a Stolen Credential
There's a gap between when your password leaks and when someone uses it against you. Understanding this timeline explains why ATO attacks can seem to come from nowhere:
- Breach occurs (Day 0): A company database is compromised
- Data extracted (Days 1-30): Attackers copy user records
- Data sold (Weeks to months): Credentials appear on criminal markets
- Testing begins (Ongoing): Bots try combinations across sites
- Successful login (Variable): Your reused password works somewhere
- Account takeover (Minutes): Attacker changes password and takes control
Maria's password was probably stolen months or years before her MarketHub account was hit. The attacker who logged in likely bought a batch of credentials, ran them through automated tools, and her account was one of many that worked.
Inside a Credential Stuffing Attack
Credential stuffing has a low success rate, typically between 0.2% and 2%.[3] That sounds tiny, but attackers work at massive scale. Run a million stolen credentials and even a 0.5% success rate means 5,000 compromised accounts.
Here's what makes credential stuffing economically viable:
- Credentials are cheap: Leaked combo lists cost almost nothing
- Automation handles volume: Bots test thousands of logins per minute
- Proxies hide the source: Requests come from different IP addresses
- Residential proxies look legitimate: Traffic appears to come from normal homes
- Success compounds: One email account opens doors to many others
The attacker didn't target Maria specifically. They sprayed credentials at marketplace sites, retail sites, banks. Whoever reused their password became a victim. Maria just happened to have a valuable account with a credit line attached.
What Do Attackers Do After Logging In?
Once attackers get into an account, they move fast. The sequence is predictable:
Lock out the owner: Change the password immediately. Change the recovery email and phone number. Now the real owner can't get back in or receive security alerts.
Assess the value: What's in this account? Seller reputation? Stored payment methods? Pending balance? Loan eligibility? Connected bank account for payouts?
Extract value: For Maria's seller account, the attacker changed the payout destination and took out a loan against her reputation. For a retail account, they might buy gift cards with stored payment methods. For a bank account, they transfer funds directly.
Work quickly: The longer the attack runs before detection, the more value can be extracted. Maria's attacker finished the loan application before she even knew something was wrong.
Monetizing Stolen Accounts
Different accounts get monetized differently. Understanding these patterns helps you see what attackers are actually after:
Seller accounts offer multiple cash-out paths. Attackers can divert payouts from ongoing sales, take out loans against the seller's history, or use the account's reputation to run scams. The cleaner the seller's history, the more options attackers have. Maria's spotless three-year record made her a perfect target.
Retail accounts with stored payment cards become shopping tools. Attackers buy gift cards (easy to resell), electronics (ship to a drop address as discussed in Criminal Infrastructure), or digital goods. Gift cards are particularly attractive because they convert to cash quickly through resale markets.
Bank accounts allow direct transfers, but these are harder to cash out. Attackers might use Zelle or wire transfers to move money to accounts they control, or add themselves as authorized users on credit cards.
Email accounts are often more valuable than they appear. Access to someone's primary email means access to password reset flows for every other service they use. One compromised inbox can cascade into dozens of compromised accounts.
Session Tokens and Session Hijacking
Passwords aren't the only way into accounts. Every time you log in to a website, your browser receives a session token, a small piece of data that proves you've already authenticated. Think of it like a wristband at an event. Once you're in, you don't show your ticket again. You just flash the wristband.
Session tokens are stored as cookies in your browser. If an attacker can steal that cookie, they can impersonate your logged-in session without ever knowing your password. They're not breaking in. They're walking in with your wristband.
Session hijacking can happen through:
- Malware that extracts cookies from your browser
- Man-in-the-middle attacks on unsecured networks
- Cross-site scripting (XSS) vulnerabilities in websites
- Physical access to an unlocked computer
Unlike credential stuffing, session hijacking bypasses login entirely. The attacker inherits an already-authenticated session. If Maria had logged into MarketHub on an infected computer, the attacker could have grabbed her session cookie and never needed her password at all.
Key Takeaways
- Account takeover is a chain of events, from credential theft to sale to testing to exploitation. Understanding each step helps you see where evidence exists.
- Reputation and credit history are attackable assets. Seller accounts, aged accounts, and accounts with lending access are high-value targets because they come with built-in trust or borrowing power.
- Credential stuffing works through volume, not precision. Success rates are tiny, but scale makes it profitable. You don't need to be targeted to become a victim.
- Attackers move fast after login. Password changes, recovery info swaps, and loan applications happen in hours. The damage is often done before the victim wakes up.
- Session tokens are credentials too. Stealing a logged-in session bypasses password checks entirely.
What's next: The Account Security article covers authentication fundamentals, and Advanced Authentication explores how modern login systems like OAuth create new attack surfaces. The Attack Methods article takes a deeper look at specific ATO techniques including SIM swapping and social engineering.
Key Terms
For complete definitions, see the ATO Glossary.
| Term | Definition |
|---|---|
| Account takeover (ATO) | Unauthorized access to someone's account, typically to steal value or information |
| Session token | Data stored in browser cookies that maintains your logged-in state |
| Session hijacking | Stealing a session token to impersonate an authenticated user |
| Combo list | Database of leaked email/password pairs from data breaches |
| Payout diversion | Changing where a platform sends money, redirecting funds to attacker-controlled accounts |
References
1. FBI IC3 Public Service Announcement: Account Takeover Fraud (November 2025)↗
2. Verizon 2025 DBIR Credential Stuffing Research↗ (22% of breaches used credentials as initial access; 19% of auth attempts are credential stuffing)
3. Shape Security credential stuffing research↗ (0.2-2% success rate)
Test Your Knowledge
Ready to test what you've learned? Take the quiz to reinforce your understanding.
Continue learning
- Account TakeoverAccount Security FundamentalsHow authentication and authorization protect accounts, and how attackers bypass each layer
- Account TakeoverSSO and Token-Based AttacksHow federated authentication works, and how attackers exploit SSO, OAuth, and token-based systems
- Account TakeoverOther Attack MethodsSIM swapping, password spraying, help desk attacks, evil twin WiFi, and account recovery abuse
- More from Fraud BasicsFraud 101: What Is Fraud?Absolute basics for someone who has never looked at fraud: what is fraud, how is it different from other crimes, and why does it matter
- More from Money Movement & Transaction FraudPayment Systems 101: How Money Really MovesEssential foundation for understanding how ACH, wire transfers, card payments, and digital payments actually work - and why criminals target them
- More from Social EngineeringSocial Engineering FundamentalsThe psychology of manipulation and how attackers exploit human trust