---
title: Account takeover
description: Account takeover (ATO) is when someone who isn't the account owner signs in, usually with stolen or guessed credentials. Rupt scores it at login from device, network, and location signals.
---

# Account takeover

Account takeover (`ato`) is when someone other than the owner signs in to an existing account. The credentials are usually real (bought from a breach dump, phished, or guessed through credential stuffing), so a password check alone won't catch it. What gives the attacker away is the context around the login: a device, network, or location that doesn't fit the real owner.

Rupt scores this risk on the `login` [action](/docs/v3/concepts/actions).

## What Rupt looks for

The headline [checks](/docs/v3/concepts/checks) that feed the score:

- **[New fingerprint](/docs/v3/concepts/fingerprints)**: the login comes from a browser or device Rupt hasn't seen on this account.
- **[New IP](/docs/v3/concepts/ip)**: an address the user hasn't connected from recently.
- **[Impossible travel](/docs/v3/concepts/impossible-travel)**: the account was active somewhere else too recently for the same person to have moved between the two locations.
- **[Anonymizing network](/docs/v3/concepts/anonymizing-network)**: the connection is hiding behind a VPN, proxy, or Tor.

No single check is damning. People buy new phones and travel. The score climbs when several line up at once: a new device on a new IP behind a VPN, far from where the account usually signs in, is a very different story from any one of those alone.

## Severity and response

Rupt rolls the triggered checks into an `ato` [risk](/docs/v3/concepts/risks) severity from `low` to `maximum`, recorded on the evaluation. To act on it today, your [policies](/docs/v3/concepts/policies) match the underlying [checks](/docs/v3/concepts/checks). For example, [challenge](/docs/v3/concepts/challenges) when a new device and [impossible travel](/docs/v3/concepts/impossible-travel) stack up, so a genuine owner on a new laptop gets a quick verification instead of a lockout while an attacker stacking signals hits a step they can't fake. Matching a policy on the `ato` severity directly is coming soon.