Account Hijacking
Unauthorised takeover of an online account — email, social media, banking, or e-commerce — typically as a stepping stone to financial theft, fraud, or further attacks.
Also known as: account compromise, account takeover, login hijacking
Last reviewed: 1 June 2026
Account hijacking (a specific form of account takeover) is the act of gaining unauthorised control of another person's online account. It is typically achieved through credential stuffing (using username/password combinations from data breaches), phishing, SIM-swap attacks (to bypass SMS-based MFA), malware that steals saved passwords, or exploiting account-recovery weaknesses.
Hijacked accounts are exploited in several ways: bank accounts are drained directly; email accounts are used to intercept financial communications, reset passwords on linked services, or launch trusted-sender phishing at the victim's contacts; social media accounts are sold, used to run scam ads, or leveraged for romance and investment fraud; and e-commerce accounts are used to place fraudulent orders or harvest stored payment methods.
The scale of credential exposure from historical breaches means billions of username/password pairs are available on criminal markets, making automated hijacking attempts constant. Unique, strong passwords for every account and hardware-key MFA are the strongest individual protections.
Examples
- A fraudster uses credentials from an old data breach to access a victim's email, resets their banking password, and transfers funds within minutes.
- A hijacked Instagram account with a large following is used to promote a cryptocurrency investment fraud.