Cyber Doc logo Cyber Doc
Cybersecurity Term

What is account takeover?

When an attacker gains control of a real user account and uses it as if they were trusted.

Passwords & Access Last reviewed: 2026-05-20

← Back to Learn Centre

What is account takeover?

Account takeover happens when an attacker gains access to a legitimate user account, such as email, banking, cloud storage, or social media.

Simple example

An attacker signs in to a staff mailbox using a stolen password and starts sending invoice-change emails.

Why it matters

Account takeover is dangerous because the attacker appears to be a trusted user.

Common warning signs

  • The activity is unexpected or unusual for the business context.
  • The request or system behaviour creates pressure to act quickly.
  • Normal approval, verification, or security processes are bypassed.
  • There are signs of unauthorised access, data exposure, or system change.
  • Staff are unsure whether the request, message, or system behaviour is legitimate.

Cyber Doc view

This term should be understood in business context, not only as a technical issue. Good protection usually combines clear processes, appropriate technical controls, staff awareness, and a calm response plan.

What to do

Proactive steps

  • Use MFA on important accounts.
  • Use unique passwords and a password manager.
  • Monitor suspicious sign-ins and new devices.
  • Remove dormant accounts.
  • Train users to report unexpected login alerts.

Reactive steps

  • Change the password from a clean device.
  • Reset MFA methods and active sessions.
  • Check mailbox rules, forwarding, and connected apps.
  • Review recent actions taken by the account.
  • Notify affected parties if fraudulent messages or data exposure occurred.

Related terms

  • Credential theft
  • Multi-factor authentication
  • Business email compromise