OAuth

OAuth is a standard for delegated access. It lets a third-party app access parts of your account (email, files, calendar, profile) after you grant permission, without giving the app your password.

You will often see OAuth as a "Connected apps", "Third-party access", or "Sign in with Google/Microsoft/Facebook" flow.

Why it matters for account recovery

OAuth matters because it can survive password changes. If an attacker tricks you into granting an app access, or they add a malicious app while they control your account, they may keep access even after you rotate credentials.

During recovery, reviewing connected apps is often one of the highest leverage steps for removing persistence.

Common failure modes and misconceptions

• Consent under pressure: Attackers use social engineering to push you into approving permissions that look routine.
• Assuming password resets evict all access: Resetting a password does not always revoke existing tokens or app permissions.
• Overbroad permissions: Apps that can read mail, forward messages, or access files expand the blast radius of one mistake.

Safe best practices

• Review connected apps periodically, and remove anything you do not recognize or no longer use.
• Treat unexpected permission prompts as phishing. See phishing and social engineering.
• If you are dealing with an active compromise, also review sessions and sign-ins for session hijacking indicators.
• Prefer least privilege: only grant apps the minimum scope required.

Related terms

• Account takeover (ATO)
• Session hijacking
• Phishing

Related guides

• How to recover a hacked Google account
• How to check if you've been hacked

OAuth is not a vulnerability. It is a capability. The risk shows up when permission grants are not treated as security events.