Account pre-hijacking attacks are a class of security exploit related to online services.
[1][2][3] The attack relies on confusion between accounts created by federated identity services and accounts created using e-mail addresses and passwords, and the failure of services to resolve this confusion correctly.
[1] Pre-hijacking was first identified as a class of vulnerabilities in 2022, based on research funded by Microsoft's Security Response Center.
[4][5] Out of 75 online services surveyed, 35 were found to be vulnerable to various forms of the exploit.
Vulnerable services included Dropbox, Instagram, LinkedIn, WordPress and Zoom.