Code Room
On-callMediumoc-g154
Subject Account takeoverLevel Mid–Senior~35 minCommon in Reliability & on-call interviewsIndustries Technology, Software development

Question

A high-value customer reports their account was drained overnight. Logs show: a successful password reset via the 'SMS recovery' flow, then a withdrawal to a new external address, all from a new device. The customer never got the SMS codes. Your fraud dashboard shows a small but rising cluster of identical sequences over the past day — all targeting accounts with phone-based recovery enabled, all completing the SMS OTP step successfully despite the victims reporting no codes received. The phone-number-on-file was unchanged in your system. How do you triage, contain, and remediate this SIM-swap-driven account-takeover pattern?

What a strong answer looks like

Stop the bleeding first (mitigate), then form hypotheses from real signals. Separate root cause from symptom, communicate status as you go, and close with what prevents a repeat.

Diagram & narrate the incident
Loading whiteboard…
Run or narrate your approach, then ask the coach.