23andMe Filed for Bankruptcy. Account Takeover Was the Starting Gun.

In October 2023, genetic testing company 23andMe confirmed that threat actors had compromised roughly 6.9 million user accounts. The attack method wasn't some exotic zero-day exploit. It was credential stuffing — attackers used previously leaked username and password combinations to log in as real users. By late 2024, the fallout was catastrophic: lawsuits, a $30 million settlement, and ultimately a bankruptcy filing in early 2025. The entire crisis traced back to a failure of account takeover prevention.

If you think account takeover (ATO) is a problem reserved for consumer tech companies, I've got bad news. The 2024 Verizon Data Breach Investigations Report found that stolen credentials were involved in over 44% of breaches involving web applications. ATO is the bread and butter of modern cybercrime, and it's hitting organizations of every size.

This guide breaks down exactly how account takeover attacks work in 2025, the layered defenses that actually stop them, and the specific steps your organization can take starting today. No theory. Just the stuff that works.

What Is Account Takeover and Why Should You Care?

Account takeover happens when an unauthorized person gains control of a legitimate user's account. That could be an email account, a cloud application, a banking portal, or an admin dashboard. The attacker doesn't break in through a wall — they walk through the front door with stolen keys.

Here's what makes ATO so dangerous: once inside, the attacker is the user. They can exfiltrate data, send phishing emails from a trusted address, authorize fraudulent transactions, or pivot deeper into your network. Traditional perimeter defenses don't flag this because the login looks legitimate.

The Financial Damage Is Staggering

According to the FBI's Internet Crime Complaint Center (IC3) 2023 Annual Report, business email compromise — a direct consequence of account takeover — accounted for over $2.9 billion in adjusted losses. That made it the costliest cybercrime category by a wide margin. And those are just the reported numbers.

I've worked with organizations where a single compromised email account led to six-figure wire fraud losses in under 48 hours. The attacker monitored the inbox, waited for a real invoice, then sent a modified version with new banking details. The employee paid it because the email came from a trusted colleague's actual account. That's the reality of ATO.

How Attackers Actually Take Over Accounts in 2025

Understanding the attack vectors is the first step in account takeover prevention. Here are the methods I see used most frequently right now.

Credential Stuffing

Attackers take massive lists of breached credentials — billions are available on dark web marketplaces — and automate login attempts across popular services. Because people reuse passwords across sites, a breach at one service gives attackers the keys to dozens of others. The 23andMe breach is a textbook example.

Phishing and Spear Phishing

Phishing remains the most effective way for threat actors to harvest fresh credentials. Modern phishing kits include real-time adversary-in-the-middle (AiTM) proxies that can intercept multi-factor authentication tokens as the victim enters them. These aren't the poorly spelled emails from a decade ago. They're pixel-perfect replicas of Microsoft 365, Google Workspace, and banking login pages.

Session Hijacking and Token Theft

Infostealers like Raccoon, RedLine, and Lumma have become commoditized. For a small monthly fee, attackers deploy malware that harvests browser session cookies and authentication tokens directly from endpoints. With a valid session token, the attacker bypasses the login process entirely — no password or MFA needed.

SIM Swapping

For high-value targets, attackers social engineer mobile carriers into transferring a victim's phone number to a new SIM card. This lets them intercept SMS-based MFA codes. The January 2024 SEC X (Twitter) account hack used exactly this method.

Social Engineering of Helpdesks

The September 2023 MGM Resorts breach started with a phone call. An attacker called the IT helpdesk, impersonated an employee, and convinced the agent to reset MFA credentials. Ten minutes on the phone led to a ransomware attack that cost MGM over $100 million. Your helpdesk is a high-value target, and most organizations haven't trained their support staff to recognize social engineering tactics.

The Layered Defense Model That Actually Works

There's no single product that stops account takeover. I've seen organizations spend six figures on identity threat detection tools and still get compromised because they ignored the basics. Effective account takeover prevention requires layers — each one making the attacker's job harder.

Layer 1: Kill Password Reuse With a Password Manager

If your employees are choosing their own passwords, a meaningful percentage are reusing credentials from personal accounts. Mandate an enterprise password manager. Generate unique, complex passwords for every service. This single step neutralizes credential stuffing attacks almost entirely.

Layer 2: Deploy Phishing-Resistant MFA

Not all multi-factor authentication is equal. SMS codes can be intercepted via SIM swapping. TOTP codes can be captured by AiTM phishing kits. The gold standard in 2025 is FIDO2/WebAuthn — hardware security keys or device-bound passkeys. These are cryptographically bound to the legitimate site, so a phishing page simply can't capture the authentication response.

CISA has been pushing phishing-resistant MFA as a priority since 2022, and the guidance is more relevant than ever. If you can't deploy hardware keys across your entire org immediately, start with your highest-risk accounts: IT admins, finance, executives, and anyone with access to sensitive data.

Layer 3: Implement Conditional Access and Zero Trust Principles

Zero trust isn't a product — it's an architecture decision. Every authentication request should be evaluated based on context: device health, location, time of day, risk score. If someone logs in from a managed device at your office, that's low risk. If someone logs in from an unrecognized device in another country at 3 AM, that needs stepped-up verification or outright blocking.

Conditional access policies in Microsoft Entra ID, Google Workspace, or Okta let you enforce this without building anything custom. I've seen organizations cut ATO incidents by over 70% simply by requiring managed devices for access to critical applications.

Layer 4: Monitor for Credential Exposure

Your credentials are already out there. Subscribe to a dark web monitoring service or use tools like Have I Been Pwned's domain search to get alerts when employee credentials appear in new breaches. When they do, force an immediate password reset and review that account's recent activity.

Layer 5: Train Your People to Spot the Attack

Technology handles a lot, but your employees are both the biggest target and your most adaptable defense. Phishing simulation programs that mimic real-world attacks — not generic templates — build the instinct to pause and verify before clicking. I've seen phishing click rates drop from 30% to under 5% within six months of consistent, realistic training.

If you're looking to build a structured program, our phishing awareness training for organizations walks teams through the exact scenarios attackers use today, including AiTM phishing, QR code phishing, and business email compromise lures.

For a broader foundation covering social engineering, ransomware, credential theft, and more, the cybersecurity awareness training program at computersecurity.us gives employees the practical knowledge they need without wasting their time on checkbox compliance content.

Securing Your Helpdesk: The Overlooked ATO Vector

After the MGM breach, every security team should have re-evaluated their helpdesk verification procedures. Here's what I recommend:

  • Require callback verification. If someone calls requesting a password or MFA reset, hang up and call the employee back at their number on file.
  • Use a shared secret or verification code that the employee set during onboarding — not information an attacker could find on LinkedIn.
  • Flag and escalate unusual requests. If someone claims they've lost their phone, their laptop, and can't access email all at once, that's a red flag worth a five-minute delay to verify.
  • Train helpdesk staff on social engineering tactics at least quarterly. Role-play the attacks. Make it uncomfortable. That discomfort is what builds resistance.

What Does an Account Takeover Attack Look Like From Inside?

This section is for those of you who want to know the warning signs — the things that show up in your logs before the damage is done.

Early Indicators

  • Logins from unfamiliar IP addresses or geolocations, especially those that are geographically impossible given the user's last known location (impossible travel).
  • Multiple failed login attempts followed by a successful one — classic credential stuffing pattern.
  • MFA method changes: an attacker who gains access will often immediately register a new MFA device to maintain persistence.
  • Inbox rules created to auto-forward or auto-delete emails — a hallmark of business email compromise.
  • Unusual OAuth application consent grants in cloud environments.

What to Do When You Spot One

Speed matters. Revoke all active sessions immediately. Force a password reset. Audit MFA registrations and remove any the user doesn't recognize. Check for inbox forwarding rules, delegated access, and OAuth grants. Then investigate what the attacker accessed during the compromise window. In my experience, most organizations take days to detect ATO. The attackers know this, and they move fast.

Account Takeover Prevention Checklist for 2025

Here's the condensed version you can hand to your CISO or IT director today:

  • Deploy phishing-resistant MFA (FIDO2/passkeys) for all high-risk accounts.
  • Mandate enterprise password managers and ban password reuse.
  • Enable conditional access policies — require managed devices, block impossible travel, step up authentication for risky sign-ins.
  • Monitor for credential exposure on the dark web continuously.
  • Run realistic phishing simulations monthly, not annually.
  • Harden helpdesk verification procedures against social engineering.
  • Log and alert on MFA method changes, inbox rule creation, and OAuth consent grants.
  • Implement session token lifetime limits — don't let stolen cookies last forever.
  • Adopt zero trust principles: never trust, always verify, minimize blast radius with least-privilege access.
  • Review and rehearse your ATO incident response playbook quarterly.

The Credential Theft Problem Isn't Going Away

The economics are simple. Stolen credentials are cheap, effective, and scalable. The Verizon DBIR has flagged credential-based attacks as a top breach vector for years running. The infostealer malware market is booming. AI is making phishing emails more convincing and harder to detect.

Account takeover prevention isn't a one-time project. It's an ongoing discipline that combines strong authentication, vigilant monitoring, smart architecture decisions, and — most critically — well-trained people who recognize when something isn't right.

The organizations that treat ATO as a technology-only problem will keep showing up in breach headlines. The ones that build layered defenses and invest in their people's ability to spot social engineering? They make the attacker's job hard enough that the attacker moves on to an easier target.

That's the goal. Not perfection. Just being harder to compromise than the next organization on the list.