Definition
Where an unauthorized user gains control of a user account, through means such as hacking, phishing or buying leaked credentials.
Identifying Account Takeovers
An account owner may use out-of-band communications like email to report the loss of an account.
Followers of the account may report the account for unexpected changes in account details or posting habits. Alternatively, the account may exhibit unlikely increases in reposts or likes or boosts.
Login may occur from new or unlikely geographic locations. This can be ascertained with some level of certainty from account IP address usage.
Challenges
A large number of services allow account creation with nothing more than a nickname and an email address, making it hard to verify the true account holder. One method of account takeover is to email the support option and falsely claim that the account has been taken over, and request it be reset using a new email address belonging to the attacker.
It is important to verify any incoming requests.
- Is the request from the email address associated with the account?
- If not, can the requestor name the email address that was previously used, and explain why they no longer have access to that email?
- Can the requestor tell you their current IP address? Does it roughly match any of the IP addresses you may be able to see the account has used previously?
- Has the user had previous interactions with your support team? Can those be described?
Discussion
Discuss this label in the Account Takeover forum.
