Code Room
On-callMediumoc-g135
Subject Account takeoverLevel Mid–Senior~35 minCommon in Reliability & on-call interviewsIndustries Technology, Software development

Question

Support tickets spike: 60+ users in 2 hours report email-change confirmations and password resets they didn't request. Your auth dashboard shows login success rate dropped (lots of failures) but a steady stream of successes from a datacenter ASN, all hitting /login then immediately POST /account/change-email. Failed-login volume is 50x baseline. A third-party 'have I been pwned' style list for a competitor leaked last week. No MFA is enforced for most accounts. How do you triage and contain this account-takeover wave?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.