When you have been hacked, you are usually dealing with two problems at the same time: regain access and prevent re-entry. Most failed recoveries happen because the attacker still controls a reset channel (email, phone) or still has an active session on a second device.
The goal is not to do everything. The goal is to remove the attacker's ability to reverse your changes. That means securing what can approve resets, then systematically closing the re-entry paths that keep compromises looping.
Rule of thumb: secure the control plane first. If the attacker controls your inbox, every other recovery step is temporary.
Immediate actions by situation
| Situation | Do this first | Then do this |
|---|---|---|
| You can still log in | Secure your primary email from a separate, trusted device | End unknown sessions, remove connected access, then rotate passwords |
| You cannot log in | Secure the inbox and phone number that can reset the account | Use official recovery flows once your environment is stable |
| You are getting unexpected login prompts | Deny prompts and stop signing in from links | Treat it as active compromise and follow the containment steps below |
| Your email inbox is behaving strangely (new rules, missing security emails) | Lock down email access and remove recovery changes | Then repeat recovery on the impacted apps and services |
| Money is involved (invoice fraud, card abuse, crypto transfer) | Stop payments and contact your bank or provider immediately | Then secure accounts and preserve evidence |
| Your business accounts or employee accounts are impacted | Escalate internally and treat it as an incident | Use the business playbook linked below |
If your business is involved, use what to do if your business or employees are hacked. If you want a faster diagnostic for whether you are dealing with phishing, malware, or a leaked password, use how to check if you've been hacked. If a messaging account was taken over, use recover a hacked WhatsApp account or recover a hacked Discord account. If Instagram was disabled during the incident, use recover your disabled Instagram account after a hack.
Stabilize access first
Most platforms have two layers: authentication (how you log in) and recovery (how you regain access). Attackers focus on recovery. If they can reset your password, approve logins, or intercept alerts, they can return after you "fix" the account.
The control plane is anything that can approve resets or receive security alerts:
- Your email inbox and its recovery options.
- Your phone number if SMS is used for verification or recovery.
- Your password manager vault if it stores passwords for everything else.
- Any device sessions that can approve a login with a tap or prompt.
If you only do one thing: get your email account stable from a device you trust, then work outward.
1) Secure the accounts that control resets: email and phone
Email is the universal reset mechanism. If an attacker controls your inbox, they do not need your passwords. They can just reset everything.
Email inbox checklist
- Change the email password to a long, unique password stored in a password manager.
- Enable stronger sign-in on email using an authenticator app, security key, or passkeys where available.
- Review recovery options (recovery email, recovery phone) and remove anything you do not control.
- Check sign-in history for devices, locations, or sessions you do not recognize and sign them out.
- Remove persistence by auditing mailbox forwarding rules, filters, and delegated access you did not create.
- Search for missing alerts by checking spam and trash. Some attackers delete security emails to reduce your visibility.
If you do not already use a password manager, start with the accounts that reset other accounts. See password managers.
Phone number checklist
- Treat loss of service as a signal: if your phone suddenly stops receiving calls or texts, assume there may be a carrier-level issue and investigate quickly.
- Protect carrier access: add a carrier PIN or account passcode so a stranger cannot move your number.
- Reduce SMS dependence: prefer app-based authentication when possible, and keep recovery options current so you do not rely on a single phone number.
This is also the moment to secure the accounts that can reset the inbox itself (Apple ID, Google Account, Microsoft account), because they are part of the same control plane.
2) Secure devices and browsers before re-entering passwords
Compromise often persists because the device is compromised, or because your browser session was stolen. If you change passwords on a device the attacker controls, you may hand the new password to them immediately. If your session is stolen, the attacker can sometimes bypass passwords entirely.
Session theft is often called session hijacking. It is why people get re-compromised even after a password change.
- Update your OS and browser so known vulnerabilities are not still open.
- Remove suspicious extensions and anything you do not actively use, especially coupon, PDF, screen recorder, crypto, and "security" extensions you did not install intentionally.
- Check for remote access tools you did not install and remove them.
- Run a malware scan if you suspect credential theft, unexpected popups, or a sudden burst of logins and password reset emails.
- Use a clean browser profile for recovery. A fresh profile reduces the risk of malicious extensions and cached sessions interfering with recovery.
- Avoid shared machines during recovery. You need a stable, trusted environment to make changes that stick.
Do not: type new passwords into a device you do not trust. Fix the device first or use a separate trusted device.
3) Remove attacker sessions and connected access
After you secure the control plane and device, remove attacker access wherever the account allows it. Your goal is to delete the "already logged in" state, and to remove third-party access that can re-create it.
| Re-entry path | What it looks like | How to close it |
|---|---|---|
| Unknown sessions | You see logins from devices you do not recognize | Sign out unknown sessions, or sign out everywhere if the service offers it |
| Connected apps | Third-party apps "connected" to your account | Revoke any app you do not recognize or no longer use |
| Forwarding and filters | Security emails are missing, or routed elsewhere | Remove forwarding rules, filters, and delegates you did not create |
| Recovery methods | New email address or phone number attached to the account | Remove unknown recovery options and re-verify the ones you keep |
| Trusted devices | A device can approve logins automatically | Remove unknown trusted devices and re-check account security prompts |
Once re-entry paths are closed, rotate passwords for accounts you suspect are affected. If you reused the same password, treat every account that used it as compromised until proven otherwise.
Common mistake: changing a password while leaving forwarding rules, connected apps, or long-lived sessions in place. That is how compromise returns.
4) Rotate passwords safely
Password rotation can create its own failure mode: locking yourself out or breaking recovery while the attacker still controls the control plane. The fix is order and documentation.
- Rotate in order of blast radius: email first, then the accounts that can reset email, then your password manager, then everything else.
- Use unique passwords for every account. Password reuse is why one breach becomes ten compromises.
- Do not rotate everything at once if you are not stable. Rotate the control plane, confirm you are stable, then proceed.
- Write down what you changed (account, time, what was changed). This prevents you from looping or missing an account under stress.
If you discover that your password manager or its recovery email is compromised, treat that as a top priority incident. A compromised vault means every password change can be reversed or watched.
5) Strengthen authentication so phishing stops working
Most takeovers come from password reuse, phishing, or device/session theft. Stronger sign-in changes the economics for attackers by requiring more than a password to re-enter.
Enable two-factor authentication (2FA) on the control plane first: your inbox and the accounts that can reset your inbox. Then enable it on high-impact accounts such as banking, social, and any account that can approve purchases.
If WhatsApp is part of the incident, harden it after containment using how to secure your WhatsApp account.
- Prefer phishing-resistant options when available: security keys or passkeys are harder to abuse than one-time codes.
- Store backup codes safely so hardening does not turn into self-lockout.
- Be skeptical of approval prompts you did not initiate. Attackers rely on fatigue and confusion.
6) Preserve evidence and build a short timeline
Evidence matters for reversals, disputes, and support escalations. Capture it early, before sessions expire and notifications disappear.
- Security emails and notifications about changes.
- Screenshots of prompts, error messages, and case numbers.
- A simple timeline: what you noticed, what changed, and what you did in response.
- Any attacker contact, extortion messages, or payment instructions.
Keep it factual and consistent. One page of clear facts beats a long narrative. Also keep copies somewhere the attacker cannot reach, not inside a compromised inbox.
7) Verification habits prevent the next incident
Many follow-on incidents happen because attackers use the compromise as a pretext. They impersonate support, ask for codes, and send links that look like recovery flows.
Standardize behavior that prevents the most common failures: navigate to services directly, do not sign in from links, and never share verification codes with anyone. Use how to identify scam emails to pressure-test suspicious messages before you act on them.
If money is involved, stop the bleeding first
Attackers often try to monetize quickly: unauthorized card charges, invoice fraud, gift card purchases, ad spend, or a one-time transfer from a payment app. In those situations, the order matters. If money is leaving, stop that first, then do the deeper cleanup.
- Contact the provider that can stop the transaction: your bank, card issuer, payment app, exchange, or billing provider. Ask about fraud workflows and what evidence they need.
- Lock down payment rails: freeze cards if you can, change payment app passwords, and remove unknown payees, cards, and bank accounts that were added during the compromise window.
- Expect follow-on scams: attackers may call pretending to be your bank or support. Use official phone numbers and in-app messaging, not numbers from emails or texts.
Preserve evidence before you remove things that might disappear (screenshots, timestamps, payee details). If the compromise involved email access, also search for invoice rules or auto-forwarding that could enable repeat fraud.
If you are locked out, avoid recovery traps
Lockouts are stressful because the instinct is to retry constantly. That can work against you if the platform treats repeated attempts as suspicious. The most reliable approach is operational: stabilize signals, reduce noise, and make each recovery attempt count.
If the attacker changed multiple signals (email, phone, 2FA), recovery usually comes down to proving continuity. Stick to stable conditions, use official channels, and avoid third-party "support" numbers you find through ads or search results. Scammers target people during lockouts.
- Use a known device and browser where you previously logged in, if you still have one. Recovery often depends on continuity signals.
- Do not bounce between many devices while recovery is active. It can look like attacker behavior and slow you down.
- Secure the control plane first and let those changes settle, then attempt recovery again. Email and phone changes sometimes take time to propagate.
- Document failures (error text, timestamps, case numbers) so you can be consistent if you need to escalate through official support channels.
If you regain access, immediately repeat the sequence above: end sessions, remove connected access, rotate passwords, and strengthen sign-in. Many lockouts repeat because the attacker still has a session or a recovery method on the account.
What recovered looks like
Recovery is not "I can log in again." Recovery is stability:
- The inbox and phone number that reset accounts are protected and clean.
- Unknown sessions, trusted devices, and connected app access are removed.
- Passwords are unique and tracked, not improvised.
- Strong sign-in is enabled for the control plane.
Most compromises become long and expensive only when the control plane stays weak. When the inbox is secured and sessions are owned, attackers lose the ability to turn one event into a loop.
That is the strategic objective: fewer re-entry paths and faster detection when something changes. The tools differ by platform, but the sequence is durable.
Over time, the best defense is habit. Navigate to services directly, treat unexpected prompts as incident signals, and harden the control plane first when anything looks off.
When those habits are in place, recovery stops being a crisis and becomes a procedure you can execute under pressure.