Account takeover (ATO) is when an attacker gains control of an online account and uses it to impersonate you, steal money, access data, or pivot into other accounts.
ATO is usually not one action. It is a sequence: initial access, persistence, and then exploitation.
Why it matters for account recovery
Recovery succeeds when you remove all attacker footholds, not just the obvious one. That often means rotating credentials, ending sessions, and fixing recovery methods in the right order.
Most ATO investigations eventually reduce to control plane questions: who controls your email inbox, phone number, and active sessions.
Common failure modes and misconceptions
- Password change without session revocation: Attackers can keep access through existing sessions if you do not end them.
- Recovery channel compromise: If your email or phone is compromised, resets and alerts become attacker tools.
- Persistence through connected apps: OAuth apps can retain access. Review OAuth permissions during recovery.
Safe best practices
- Protect the control plane first: 2FA on email, strong passwords, and clean recovery settings.
- Use a password manager to stop reuse, which drives credential stuffing.
- End all sessions and review login history after any suspected compromise.
- Treat unexpected verification prompts and "support" outreach as suspicious.
Related terms
Related guides
- Been hacked? What to do first
- How to check if you've been hacked
- What to do if your Facebook account is compromised
ATO becomes manageable when the sequence is predictable: secure the control plane, remove sessions and apps, then rotate credentials and recovery methods.