Skip to main content
M
Emergency Guide

Compromised Account Recovery

An emergency action guide for regaining control of hacked or compromised online accounts.

Time-sensitive actions ahead

If you believe your account is actively being misused, start with Step 1 immediately. The actions in the first section are designed to be completed within the first 24 hours to minimize damage.

Signs Your Account Has Been Compromised

Before taking action, confirm that a compromise has actually occurred. Not every suspicious event means your account has been hacked, but it is always better to investigate. Common indicators include:

  • Password no longer works. You are locked out of an account despite entering your correct credentials. This often means someone has changed your password.
  • Unexpected password reset emails. You receive emails about password changes or security alerts that you did not initiate.
  • Unrecognized activity. You see messages you did not send, purchases you did not make, posts you did not publish, or login notifications from unfamiliar locations or devices.
  • Security settings have changed. Your recovery email, phone number, or multi-factor authentication settings have been altered without your knowledge.
  • Contacts report strange messages. Friends, family, or colleagues tell you they received unusual messages from your account.
  • New accounts or subscriptions. You discover accounts or services you did not sign up for, possibly using your email address.

If you are experiencing one or more of these signs, proceed with the recovery steps below. Even if you are unsure, it is safer to act now and verify later.

Step 1: Immediate Actions (First 24 Hours)

These are the highest-priority steps. Complete them as quickly as possible, in the order listed. Use a device you trust — if you suspect your computer or phone may have malware, borrow a clean device from someone you trust or use a device that has not been connected to your compromised accounts.

  1. Secure your primary email first. Your email account is the master key to your digital life because nearly every other account sends password resets to it. If an attacker controls your email, they can take over everything else. Change your email password immediately using a strong, unique password you have never used before.
  2. Enable multi-factor authentication on your email. If you do not already have MFA enabled, turn it on now. Use an authenticator app rather than SMS if possible. This prevents the attacker from getting back in even if they know your new password.
  3. Review your email recovery settings. Check that your recovery phone number and backup email address have not been changed to ones you do not recognize. Remove any unfamiliar recovery options.
  4. Check for email forwarding rules. Attackers sometimes set up email forwarding to silently copy all your incoming mail. Check your email settings for any forwarding rules or filters you did not create, and delete them.
  5. Change the password on the compromised account. If you still have access, change the password immediately. If you are locked out, use the service's account recovery process. Most major platforms have dedicated recovery flows for compromised accounts.
  6. Revoke all active sessions. Most services allow you to sign out of all devices. Do this after changing your password to force the attacker out of any sessions they may have open.

Step 2: Secure Your Email First

Your email deserves special attention because it is the recovery mechanism for almost every other online account. Here is how to thoroughly secure it:

  • Change your password to something completely new — at least 16 characters, ideally generated by a password manager. Do not reuse any previous password.
  • Review all active sessions and sign out of every device you do not recognize. In Gmail, you can find this at the bottom of your inbox. In Outlook, check the recent activity page.
  • Check connected apps and permissions. Review which third-party apps have access to your email account. Revoke access for anything you do not recognize or no longer use.
  • Review your sent and trash folders. Look for messages the attacker may have sent from your account, especially to your contacts, financial institutions, or other services.
  • Check for new filters or labels. Attackers may create filters to hide certain incoming emails from you, such as security alerts from other services they are trying to compromise.

Step 3: Change Passwords Systematically

After securing your email, work through your other accounts in order of priority. Do not try to change everything at once — focus on the most critical accounts first, then work your way through the rest over the following days.

Priority 1: Financial and critical accounts

  • Banking and financial services
  • Payment platforms (PayPal, Venmo, Cash App, etc.)
  • Investment and retirement accounts
  • Government and tax services
  • Health insurance and medical portals

Priority 2: Communication and social accounts

  • Social media platforms
  • Messaging apps
  • Cloud storage (Google Drive, Dropbox, iCloud, etc.)
  • Work and professional accounts

Priority 3: Everything else

  • Shopping and e-commerce accounts
  • Subscriptions and streaming services
  • Forums and community accounts
  • Any account that shared the same password as the compromised one

For each account, generate a unique password using a password manager. If you do not have a password manager yet, this is the time to start using one. It will make the rest of this process — and your ongoing security — dramatically easier.

Step 4: Check for Unauthorized Changes

Once you have regained access and changed your passwords, you need to audit what the attacker may have done while they had control. Depending on the type of account, check for:

  • Profile changes. Has your name, bio, profile picture, or other personal information been altered?
  • Contact information changes. Were phone numbers, email addresses, or mailing addresses modified? This is especially critical for financial accounts where an attacker could redirect correspondence.
  • New linked accounts or payment methods. Look for credit cards, bank accounts, or payment methods you did not add.
  • Purchases or transactions. Review recent transaction history for any unauthorized charges. Contact your bank or the platform's support team to dispute fraudulent transactions.
  • Messages sent on your behalf. Check sent messages for anything the attacker may have communicated to your contacts, business partners, or others.
  • Data exports or downloads. Some services log when data exports are requested. Check if the attacker downloaded your personal data, photos, or files.
  • Connected applications. Review OAuth permissions and connected third-party apps. Remove anything unfamiliar.

Step 5: Enable Multi-Factor Authentication Everywhere

With your passwords changed and accounts audited, now is the time to add multi-factor authentication to every account that supports it. MFA is the single most effective defense against future account compromises because it means a stolen password alone is not enough to gain access.

Recommended MFA methods, in order of strength

  1. Hardware security keys (like YubiKey) — the strongest option, phishing-resistant
  2. Authenticator apps (like Authy, Google Authenticator, or Microsoft Authenticator) — strong and widely supported
  3. Push notifications from the service's own app — convenient but vulnerable to fatigue attacks
  4. SMS codes — better than nothing, but vulnerable to SIM swapping

When you set up MFA, most services will provide backup or recovery codes. Store these securely — in your password manager or printed and kept in a safe place. These codes are your fallback if you lose access to your MFA device.

Step 6: Notify Your Contacts

If your account was used to send messages, post content, or interact with others, let your contacts know what happened. This is not about embarrassment — it is about protecting them.

  • Be direct and brief. Let people know your account was compromised, that you have secured it, and that they should disregard any unusual messages they may have received from you.
  • Warn about potential phishing. If the attacker sent messages from your account, your contacts may have received phishing links or requests for money. Alert them not to click on anything sent during the compromise period.
  • Notify your employer if work accounts were involved. If any work-related accounts were compromised, inform your IT department or manager immediately. There may be additional steps needed to protect company data and systems.
  • Contact financial institutions. If any account with financial information was compromised, call your bank and credit card companies to alert them. They can flag your accounts for suspicious activity and issue new card numbers if needed.

Step 7: Investigate How It Happened

Understanding how the compromise occurred helps you prevent it from happening again. Common causes include:

  • Password reuse. If you used the same password across multiple services and one of them had a data breach, attackers could have tested that password on your other accounts.
  • Phishing. You may have unknowingly entered your credentials on a fake website or responded to a deceptive email.
  • Malware. Malicious software on your device could have captured your keystrokes or stolen saved passwords.
  • SIM swapping. If SMS-based MFA was your only second factor, an attacker may have convinced your mobile carrier to transfer your number to their SIM card.
  • Data breach exposure. Your credentials may have appeared in a public data breach. You can check at haveibeenpwned.com to see if your email address has appeared in known breaches.
  • Weak or guessable passwords. Short passwords or those based on personal information are vulnerable to brute-force and dictionary attacks.

If malware is a possibility, run a thorough security scan on all devices you use to access your accounts. Consider using a reputable antivirus tool and keeping your operating system and software up to date.

Preventing Future Compromises

Once you have recovered, take these steps to significantly reduce the risk of another compromise:

  • Use a password manager and generate unique, strong passwords for every account. Never reuse passwords across services.
  • Enable MFA on all important accounts. Prioritize authenticator apps or hardware keys over SMS-based verification.
  • Stay vigilant about phishing. Be skeptical of unexpected emails, texts, or messages that ask you to click a link or provide credentials, even if they appear to come from a trusted source.
  • Keep your software updated. Security patches address known vulnerabilities that attackers actively exploit.
  • Monitor for breaches. Sign up for breach notification services so you are alerted if your credentials appear in future data breaches.
  • Review your accounts periodically. Set a recurring reminder to review active sessions, connected apps, and security settings on your critical accounts.
  • Be cautious with public Wi-Fi. Avoid logging into sensitive accounts on public networks unless you are using a trusted VPN.

Recovery is stressful, but it is also an opportunity to build a stronger security foundation than you had before. Many people emerge from a compromise with significantly better habits and tools in place.

Content last reviewed: February 2026