threat level: human

~ / passwords, mfa and account takeover

man account-takeover-red-flags

Passwords, MFA and Account Takeover

How accounts get stolen, and the three habits that stop almost all of it.

99%+ of identity attacks stopped by phishing-resistant MFA (Microsoft, 2025).

By the numbers

  • 99%+ of identity attacks stopped by phishing-resistant MFA (Microsoft, 2025)
  • 88% of web-app attacks use stolen credentials (Verizon DBIR, 2025)
  • 17B+ accounts exposed in known data breaches (Have I Been Pwned, 2026)

How accounts get taken over

  • Reused passwords. One leaked password unlocks every other account that shares it.
  • A login reached through a link. Adversary-in-the-middle pages relay your real login and steal the session token.
  • An MFA prompt you did not start. Approving a push you did not request hands over your live session.

Harden your accounts

  • Use a password manager. A long, unique password per site, so one breach cannot spread.
  • Prefer phishing-resistant MFA. An app code, a passkey, or a security key beats a code sent by SMS.
  • Check your exposure. Look up your email in known-breach data and reset anything that shows up.

Signs an account is already taken

  • Logins or alerts you do not recognize. Sign-in notices from new devices or locations you never used.
  • Settings that changed on their own. New forwarding rules, recovery emails, or phone numbers added to the account.
  • Contacts getting messages you did not send. Spam or scam messages going out from your account.

Do and don't

Do

  • Use a password manager so every account has a long, unique password.
  • Turn on phishing-resistant MFA: a passkey, a security key, or an app code over SMS.
  • Check your email and passwords against known-breach data and reset matches.
  • Keep recovery email and phone current, and review active sessions now and then.

Don't

  • Do not reuse passwords across sites.
  • Do not enter your password on a page you reached from a link.
  • Do not approve an MFA prompt you did not start, and never share a one-time code.
  • Do not rely on SMS codes alone for your most important accounts.

The one move

Turn on multi-factor authentication everywhere, use a password manager so every login is unique, and never approve an MFA prompt you did not personally trigger. Those three habits stop most account takeovers.

If it happens

  1. From a clean device, change the password and sign out all sessions.
  2. Re-check MFA, recovery options, and forwarding rules for anything you did not set.
  3. Reset every other account that shared that password.
  4. Warn contacts if scam messages went out, and report platform takeovers to the provider.

Go deeper

For the bigger picture, read what is social engineering and how to spot a phishing email. See these warning signs in real cases in the weekly briefings.

Frequently asked questions

// guides/account-takeover-red-flags --help
What are the red flags of passwords, mfa and account takeover?

Watch for reused passwords, a login reached through a link, an mfa prompt you did not start, use a password manager, plus any pressure to act fast, skip a check, or keep it secret.

What is the one move that stops it?

Turn on multi-factor authentication everywhere, use a password manager so every login is unique, and never approve an MFA prompt you did not personally trigger. Those three habits stop most account takeovers.

What should I do if it already happened?

From a clean device, change the password and sign out all sessions. Re-check MFA, recovery options, and forwarding rules for anything you did not set. Reset every other account that shared that password. Warn contacts if scam messages went out, and report platform takeovers to the provider.

get the weekly briefing watch the briefings see what your visit reveals ->