Weak passwords and phishing emails get all the attention. But hackers use plenty of other methods to get into accounts--methods most businesses never think to protect against.

Here are seven ways attackers get access that you probably haven't considered.

1. Browser Extensions

That helpful browser extension? It might be reading everything you type.

Many extensions request broad permissions--access to "all websites" or "read and change all your data." Some are legitimate tools with poor security practices. Others are outright malicious, designed to harvest credentials.

What to do:

  • Audit installed extensions across company devices
  • Whitelist approved extensions only
  • Remove extensions that request excessive permissions

2. Session Hijacking

Even with a strong password and MFA, your session can be stolen after you log in.

When you authenticate to a service, it creates a session token. If attackers can steal that token--through malware, insecure Wi-Fi, or cross-site scripting--they can impersonate your logged-in session without ever knowing your password.

What to do:

  • Use VPNs on public networks
  • Set session timeouts on sensitive applications
  • Enable alerts for sessions from new locations

3. OAuth Token Abuse

"Sign in with Google" is convenient. It's also a potential attack vector.

When you authorize a third-party app to connect to your Google or Microsoft account, you're granting an OAuth token. If that app is compromised--or malicious from the start--attackers can access your data through that authorized connection.

What to do:

  • Regularly audit connected apps in your Google/Microsoft accounts
  • Revoke access for apps you don't recognize or no longer use
  • Be cautious about which apps you authorize

What You Should Be Able to See

Can you check right now:

  • Which third-party apps have access to your company's Microsoft 365?
  • What permissions each app has?
  • When access was granted and by whom?

In your admin portal, this should be visible. If you can't find it, ask your IT provider.

4. SIM Swapping

SMS-based two-factor authentication has a weakness: your phone number can be stolen.

Attackers call your mobile carrier, impersonate you, and transfer your number to their SIM card. Now they receive your authentication codes. They can reset passwords, access accounts, and lock you out of your own phone number.

What to do:

  • Use authenticator apps instead of SMS for MFA
  • Add a PIN or password to your mobile carrier account
  • Consider hardware security keys for critical accounts

5. Password Reset Abuse

Sometimes attackers don't need your password--they just need to reset it.

If your password reset relies on easily guessable security questions ("What's your mother's maiden name?") or email confirmation to a compromised account, attackers have a backdoor.

What to do:

  • Use random answers to security questions (stored in a password manager)
  • Ensure recovery emails are secured with MFA
  • Monitor for unexpected password reset attempts

6. Abandoned Accounts

Former employees, old test accounts, forgotten service accounts--they're all potential entry points.

Attackers specifically look for dormant accounts because they're less likely to be monitored. If an old account still has access to your systems, it's a vulnerability waiting to be exploited.

What to do:

  • Regularly audit and disable inactive accounts
  • Implement automatic disabling after 90 days of inactivity
  • Document all service accounts and their purposes

7. Supply Chain Compromise

You might have perfect security, but what about your vendors?

Attackers increasingly target smaller vendors to reach larger targets. If a software tool you use gets compromised, attackers can push malicious updates directly to your systems.

What to do:

  • Vet vendors' security practices
  • Limit vendor access to only what's necessary
  • Monitor for unusual activity from vendor connections

Questions to Ask Your IT Provider

  • "What third-party apps are connected to our Microsoft 365 or Google Workspace?"
  • "Do we have any dormant accounts that still have system access?"
  • "Are we using SMS or authenticator apps for MFA?"
  • "How do we audit browser extensions on company devices?"

The Bottom Line

Security isn't just about strong passwords and phishing training--though those matter too. It's about understanding all the ways attackers can get in and having visibility into each one.

The common thread: you should be able to see what's connected to your systems, who has access, and whether anything unusual is happening. If you can see it, you can protect it.