Account Takeover

Table of Contents

Definition

Where an unauthorized user gains control of a user account, through means such as hacking, phishing or buying leaked credentials.

Related Terms

Compromised Account, Hacked Account, Unauthorized Access, Credential Stuffing, Phishing (as a common precursor), Identity Theft.

Background

An account takeover occurs when an unauthorized individual gains control of another account’s legitimate account. This can happen through various methods, including stolen passwords from data breaches on other sites (credential stuffing), successful phishing attacks, malware, or exploiting weak security practices. Once an account is taken over, the attacker can act as the legitimate account holder, potentially causing significant harm.

Volunteer moderators typically become aware of an account takeover when the legitimate account holder reports losing access, or if the account starts exhibiting highly uncharacteristic behaviour (e.g., posting spam, phishing links, abusive content, or sending unusual direct messages) that is noticed by other community members or moderators. Investigating and confirming account takeovers often involves liaising with the Service Administrator or web host who may have access to server logs or other backend tools.

Why We Care

Dealing with Account Takeovers is critical because a compromised account can be used to harm the original account holder’s reputation, spread malware or phishing links to other community members, post abusive content, or access private information. This erodes trust within the community and can create a sense of insecurity, as accounts may fear their own accounts are vulnerable.

Prompt and effective responses are essential to minimise damage, restore access to the rightful owner if possible, and maintain the integrity and trustworthiness of the community.

Spotting Account Takeovers: What to Look For

Identification often relies on reports from the legitimate account holder or observation of sudden, anomalous behaviour from an established account.

Account Traits (Observed Behaviour): An established account suddenly changes its typical posting style, language, or the topics it engages with. The profile picture, bio, or display name might be altered in an uncharacteristic way. The account might start promoting scams or suspicious services.

Content Characteristics: Look for the account posting spam, phishing links, malicious URLs, abusive content, or messages that are completely out of character for the known account holder. This might include sending unsolicited direct messages with suspicious links or making unusual requests to other community members.

Posting Patterns: The account might suddenly become hyperactive, posting a large volume of unwanted content, or it might go silent when it’s usually active (if the attacker is only using it for private malicious activity). Activity might occur at times unusual for the legitimate account holder (e.g., if their timezone is known).

Behaviour (after takeover): The account may not respond to messages from known associates or moderators, or respond in a way that indicates an unfamiliarity with past interactions or the account holder’s known personality. The legitimate account holder might report being locked out of their account.

Key Questions for Assessment:

“Have there been recent login attempts from unusual IP addresses or locations (information usually only available to Service Administrators)?”
“Has the legitimate account holder reported losing access to their account or noticing unauthorized activity?”
“Is an established account suddenly posting content or messages that are drastically out of character, such as spam, phishing, or abuse?”
“Are there multiple reports from other community members about unusual behaviour from the account?”

Before You Act: Common Pitfalls & Nuances

It’s important to act swiftly to secure a potentially compromised account, but also to ensure it is a genuine takeover.

Legitimate Change in Behaviour: Occasionally, an account holder might genuinely change their posting habits or express new opinions. Distinguish this from clearly malicious or spammy takeover behaviour.

Shared Accounts: If an account is known to be shared (a risky practice), it can be harder to determine unauthorised use without a report from one of the legitimate users.

Misunderstanding by Reporter: Someone might misinterpret a joke or an uncharacteristic but legitimate post as a takeover. Look for stronger signals.

Common Gotchas:

Leaving a compromised account active for too long, allowing further harm.
Not adequately communicating with the (presumed) legitimate account holder if they report the issue.
Failing to advise the account holder on securing their account and other online accounts after a takeover.
Restoring access without verifying the identity of the person reclaiming the account.

Key Point: An account takeover is characterized by unauthorised control. The primary indicators are reports from the user, or sudden, drastic, and usually malicious changes in an established account’s behaviour.

Managing Suspected Account Takeover: Key Steps

When an Account Takeover is suspected:

Temporarily Restrict the Account: To prevent further misuse, the Service Administrator should place a temporary restriction or freeze on the account to lock out the attacker and stop any ongoing harmful activity (e.g., spamming, phishing).
Attempt to Contact the Legitimate Account Holder: If the takeover was not reported by the account holder directly, try to reach them through any known alternative contact methods if available (e.g., a previously registered email address on the platform if your Service Administrator has access and policies allow).
Gather Information/Evidence: Note the specific uncharacteristic activity, when it started, and any reports received. This can help the legitimate owner understand what happened.
Verify a Reclaim Attempt: If the legitimate account holder contacts you to reclaim the account, the Service Administrator will need a secure process to verify their identity before restoring access (e.g., confirming details only the real owner would know, using a recovery email).
Advise on Security Measures: Once restored, advise the account holder to immediately change their password to a strong, unique one, enable multi-factor authentication if available, review their account for any unauthorised changes, and check their devices for malware. They should also change passwords on other sites if they reused the compromised one.
Discuss with Team (if applicable): Moderators should inform their Service Administrator immediately if they suspect a takeover. The Administrator will typically handle the technical aspects of account recovery.
Clean Up (if necessary): Remove any spam, phishing, or abusive content posted by the compromised account.

Example Community Guidance

Strike System: “Actions taken by a compromised account are generally not held against the legitimate account holder once an Account Takeover is confirmed and resolved, though content posted during the takeover will be removed. The focus is on account recovery and security.”

General Prohibition: “Users are responsible for maintaining the security of their accounts. Unauthorised access or use of another user’s account is a serious violation. Report suspected account takeovers immediately.”

Strict Enforcement: “If an account is confirmed to be taken over, it will be temporarily suspended to prevent abuse while attempts are made to contact and verify the legitimate owner. Malicious actors attempting account takeovers will be banned if identified.”