Lockout after a takeover is usually not “one account”. It is a control-plane problem: the attacker controls the inbox, phone number, or device session that your target account uses for resets. Recovery gets easier when you work the incident in the right order and stop feeding the attacker fresh codes.
| Immediate sequence | Do this | Why it works |
|---|---|---|
| 1 | Secure your primary email inbox first | Email is the reset hub for most accounts and is the most common reason recovery keeps failing |
| 2 | Stabilize your phone number and devices | SIM swap and stolen sessions can keep the attacker in even after password changes |
| 3 | Use only the official recovery entry point for the account | Third-party “support” offers and sponsored phone numbers are common follow-on scams |
| 4 | After access returns, sign out sessions and remove unknown app access | This removes persistence paths that survive a password reset |
| 5 | Harden authentication so the next attempt fails fast | Strong 2FA plus clean recovery channels reduces repeat takeovers |
Key idea: if the controlling inbox is compromised, every recovery attempt can be undone. Secure email first, then recover the target account.
Secure the reset hub (email) before you attempt recovery
If an attacker can read your email, they can see recovery links and one-time codes. That turns recovery into a loop. Fix the inbox first.
- Change your email password from a clean device.
- Enable two-factor authentication (2FA) for the email account.
- Check for mailbox forwarding rules, delegates, and “send mail as” changes.
- Review recent sign-ins and sign out of sessions you do not recognize.
If your email account was the first thing that got hit, do not guess about the attack path. Start with the basic incident triage flow in immediate steps after being hacked, then come back and resume recovery.
Stabilize the phone number and device layer
Lockouts often involve one of these: a phone number takeover, a stolen browser session, or a compromised device that keeps re-authenticating the attacker.
- If you lost cell service unexpectedly or received carrier notices you did not initiate, treat it as SIM swapping until proven otherwise.
- If your browser keeps logging you out or settings keep changing, treat it as session hijacking or device compromise.
- If you installed a suspicious app, profile, or browser extension shortly before the takeover, start with how to detect spyware.
Pick the correct recovery lane (and do not add noise)
Recovery systems score your request based on signals: device history, location, account history, and the quality of your answers. Noise reduces your odds.
- Use a device and network you have used before, if possible. Avoid VPNs during recovery.
- Use the official recovery entry point, not links from emails, DMs, or ads.
- Answer recovery prompts carefully and consistently, even when you are not sure.
- Avoid repeated rapid attempts from many devices. If you keep failing, pause and improve the control plane rather than brute-forcing recovery prompts.
Common mistake: trying dozens of recovery attempts from new devices and new locations. That can reduce trust signals and slow recovery.
If the attacker changed the recovery email or phone number
This is a takeover escalation because it blocks your resets and moves ownership. There are three defensive moves that often matter more than any single platform screen:
- Look for “revert this change” messages: many providers send a security alert when an email, phone number, or password changes. Those alerts sometimes contain a direct revert link that works only for a short time window.
- Collect evidence: save the provider alerts, timestamps, and any account identifiers. If you escalate to official support later, you will need a clean timeline.
- Stop feeding new recovery data into the compromised loop: if your inbox is still compromised, do not keep requesting codes that the attacker can see.
If you are dealing with a social media account where “support” scams are common, use how to identify scam emails and stay on official domains only.
If 2FA is blocking you (authenticator, security key, or SMS)
2FA is supposed to make takeover harder, but it can also lock out legitimate owners if you lose the device or the attacker changes the method.
- If you have backup codes, use them. Treat backup codes like keys and store them offline for the future.
- If you used a security key, try the backup key if you have one.
- If you relied on SMS and your phone service changed unexpectedly, treat it as phone takeover and stabilize the carrier account before retrying.
- If you cannot access the second factor at all, use the platform’s official “try another way” or identity verification path and avoid any third-party “recovery” offers.
The goal is not to disable 2FA. The goal is to re-establish a second factor you control and can recover responsibly.
If you regained access, but it keeps getting stolen back
When an account “snaps back” after you reset the password, one of these is still true:
- Your email inbox is still compromised (forwarding rules, OAuth access, or an unrevoked session).
- A device is compromised and keeps leaking credentials or sessions.
- A connected app still has access and is re-authorizing the attacker.
- You are still reusing a password pattern across accounts, and the attacker is logging in again through another service.
At this stage, widen your incident view and run the checklist in how to check if you have been hacked. If phishing was involved, review what phishing is and the most common failure modes that lead to repeat compromises.
After you are back in: remove persistence and harden for the next attempt
Recovery is only complete when you remove the attacker’s remaining access and make future attempts expensive.
- Sign out of all sessions, then sign back in only on devices you control.
- Remove unknown connected apps, OAuth authorizations, and delegations.
- Rotate the password to a unique one stored in a password manager.
- Enable 2FA with a strong method you can reliably use. Prefer authenticator apps, security keys, or passkeys over SMS where available.
- Review recovery email and phone settings and make sure they point to assets you actually control long-term.
Official recovery entry points (common accounts)
Use official entry points and type them in directly, especially during an active incident. These are common recovery starting points:
- Google account recovery: accounts.google.com/signin/recovery
- Apple ID recovery: iforgot.apple.com
- Microsoft account recovery: account.live.com/password/reset
Messaging app playbooks: recover a hacked WhatsApp account and recover a hacked Discord account.
Lockout recovery becomes predictable when you treat it like a control-plane incident. Secure the inbox, stabilize the phone and devices, then use official recovery flows without adding noise. Once you can explain who controls resets and who controls sessions, you are no longer guessing. You are working a sequence that converges on a stable state where only you can change security settings and every change is detectable.