The open blogging platform. Say no to algorithms and paywalls.

What is Account Takeover?

What is Account Takeover, and What Types of Takeover are There?

Graphic of a finger pressing a key

There are instances where a website, such as an online retailer or bank, gets hacked and the perpetrators can inject their own custom code to deface websites and/or steal sensitive information. One of the more common examples is when hackers get hold of an admin's password and then go about changing things like passwords or credit card numbers.

This article will describe what constitutes an account takeover and provide examples of recent incidents.

What is Account Takeover?

An account takeover occurs when a criminal manages to get hold of a person's password to their email or other sensitive accounts. This can lead to stolen information, such as credit card numbers and personal information, being used for identity theft. In the most serious cases, money and assets can be stolen from the original account holder.

Common types of account takeover

The more common types of account takeover include:

1. Credit card theft

Criminals use a person's credit cards to buy things before the legitimate owner of that card finds out and contacts their bank or credit card network company. The new purchases made using the card are also charged to the rightful owner.

2. Email / social media account takeover

Criminals get hold of a person's password for accounts like their email or more commonly their Facebook or Twitter accounts. Once they have access, they can easily gather information about that person and send messages to their contacts asking for money. The criminal can also make posts or tweets that look like they are coming from the victim, which is called "Twitter squatting".

3. Credential stuffing

Criminals try to use username and password combinations gathered on one website (this could be obtained through data breaches) on other websites. Often, the same combination will work because people use the same ones everywhere. Unbeknownst to them, this leaves them vulnerable to having multiple accounts compromised if one site gets hacked.

Example of account takeover

One popular example of account takeover was in 2018 when around 50 million Facebook user accounts were compromised. In this case, the attackers were able to steal digital tokens from 50 million accounts via an automated process that moved users' access tokens into their own system.

These tokens are used by Facebook to keep people logged in so they don't have to log in every time they visit a site with a Facebook login button. The hackers then posted spam to the 50 million compromised accounts. Their activity was discovered by Facebook's security team, who logged people out of their accounts as a precautionary measure.

People who wanted to regain access to their Facebook accounts had to change their passwords and re-verify all third-party apps or websites that they use with Facebook. The company also reset digital access tokens for another 40 million accounts that had been subject to a "View As" look-up in the last year.

People who logged into Facebook and could not remember their password were shown a warning about the hack and told to set up an access code if they wanted to re-enter their account. This is because there was no way of telling whether the hackers were still logged in to the accounts they had just compromised.

Ways to identify account takeover

If you are logged into an account and the following things happen, it's likely that your account has been compromised:

  • You receive a message from someone asking for money or personal details. This could be disguised as coming from a person in your address book-someone you would trust. However, they're most likely not who they claim to be.
  • You notice someone is using your profile to post spam or questionable content. This could be anything from photos, posts or videos that you do not like the look of. If this is happening, it's likely that an account has been compromised.
  • Your account appears to be acting strangely-people may seem to know more about you than they should, conversations may seem strange or it just doesn't feel right.
  • You have not updated your account for a while but then all of a sudden you are being asked to do something, like change your password. This could be an attempt by the criminal to get control of your account again.
  • Your profile picture has changed without you updating it.
  • You receive friend requests from people you do not know. This could be someone pretending to get in touch with you for money, trying to get their hands on your contacts list or even getting hold of other sensitive information that they can use against you.

Protecting yourself against account takeover

Since account takeover is such a menace, how can one protect themselves against it?

Here are 8 sure ways to prevent yourself from being an account takeover victim:

1. Use a strong, unique password for your social media accounts

Remember that it is very important to use a different, strong, and unique password for every single one of your social media accounts. This is because if someone gets hold of your Facebook account, they will most likely try to go for other accounts as well. A great way to remember all these passwords is by using a password manager

2. Do not use the same passwords across different accounts

Using multiple unique and strong passwords is one way to protect yourself against account takeover. However, this method is not enough if you use the same password for all of your social media accounts. You don't want to be logging in everywhere with just one password

3. Use a security question when signing up for a new account

Incorporating security questions into the sign-up process is another way of protecting yourself against account takeover. This can be especially helpful if you want to ensure that only the right people, like your close ones and friends, have access to your social media accounts

4. Update your privacy settings

Privacy settings should also be updated regularly. Keep in mind that not everyone should have access to your social media accounts, including third-party apps. So it is important to make sure that only the right people can view and use your account

5. Utilize 2-step verification (2FA)

Two-step verification is a very helpful method for protecting yourself against account takeover. It allows you to give out your password only after you have confirmed that it is really you who is trying to log onto your account by using an additional security key, like your phone number or an SMS code. This can be performed when signing in either on your phone, tablet, or computer.

6. Keep track of the apps you use

You should also keep track of all the apps that you have authorized to access your social media accounts. If any suspicious activity is detected in the future, you will be able to notice it immediately

7. Never share your passwords with anyone

Lastly, no one other than yourself should know your passwords. Remember that sharing your password puts you at risk of losing control of your social media accounts to malicious individuals

8. Don't despise using protective software

Even all mentioned above tips together can't guarantee you perfect protection from an account takeover. Don't be afraid to get some help from an efficient account takeover prevention software. With the help of a software there would be a better chance that a human factor won't put your information in an insecure position.


Account takeover is a real threat. However, if you implement the necessary precautions and follow simple security guidelines, like those listed above, you will be able to protect yourself against account takeover!

Continue Learning