Online Security Basics

Account Recovery After a Hack: Step-by-Step Restoration

By AntiPhishers Published

Account Recovery After a Hack: Step-by-Step Restoration

Discovering that one of your accounts has been compromised triggers panic, but a calm, systematic response limits the damage and restores your security. Whether an attacker has taken over your email, social media, bank account, or cloud storage, the recovery steps follow a consistent pattern: contain the breach, regain access, secure the account, assess the damage, and prevent recurrence.

Signs Your Account Has Been Compromised

You receive a password reset email you did not request. Your password no longer works. You see login notifications from unfamiliar locations or devices. Friends tell you your account is sending spam or suspicious messages. You notice transactions you did not make. Sent items contain messages you did not write. Your account settings, recovery email, or phone number have been changed.

Immediate Containment Steps

Do not panic, but act quickly. The first 24 hours are critical. Attackers often change recovery information immediately after gaining access to lock you out permanently.

If you can still log in: Change the password immediately to something strong and unique. Check and reset the recovery email and phone number if they have been changed. Review and revoke all active sessions (most platforms show active logins in security settings). Revoke access for any connected third-party applications you do not recognize. Enable two-factor authentication if it is not already active.

If you are locked out: Use the platform’s official account recovery process. For Google, go to accounts.google.com/signin/recovery. For Microsoft, account.live.com/password/reset. For Facebook, facebook.com/hacked. For Apple, iforgot.apple.com. Have your original recovery email, phone number, or identity documents ready. Do not use any “recovery” links sent to you via email or social media, as these may be phishing attempts by the attacker.

For email account compromises specifically: This is the highest-priority recovery because email is the gateway to all other accounts through password resets. After recovering your email, immediately check for email forwarding rules the attacker may have set up to copy all your incoming mail to their address. Review sent and deleted folders for password reset emails the attacker may have triggered for your other accounts.

Post-Recovery Security Hardening

Change passwords on every account that used the same password as the compromised account. Check the compromised account for any data the attacker may have accessed or exported: financial information, personal documents, contacts, photos, or messages. Review connected accounts and services for unauthorized changes.

Enable two-factor authentication on the recovered account and all linked accounts. Use an authenticator app or hardware key, not SMS. Review all recovery options to ensure they point to accounts you control.

When to Involve Authorities

If the compromise involves financial theft, report it to your bank, the FTC (reportfraud.ftc.gov), and the FBI’s IC3 (ic3.gov). If your identity information was exposed, see our identity theft protection guide for comprehensive steps including credit freezes and fraud alerts. If the compromise is part of a workplace incident, notify your IT security team immediately per your organization’s incident response plan.

Preventing Future Compromises

The compromise likely occurred through one of three vectors: a reused password exposed in a data breach, a phishing attack that captured your credentials, or malware that logged your keystrokes. Address all three by migrating to a password manager with unique passwords everywhere, learning to recognize phishing attempts, and running a thorough malware scan on all your devices.

Preventing Recurrence

After recovery, conduct a thorough review to identify how the compromise occurred. Was it a reused password exposed in a data breach? A phishing email that captured your credentials? Malware on your device that logged keystrokes? The answer determines which preventive measures are most important.

If the compromise was password-related, migrate all accounts to a password manager with unique, randomly generated passwords. If it was phishing, review your ability to recognize phishing attempts and consider additional training resources. If it was malware, ensure your devices have up-to-date antivirus protection and that you are not downloading software from untrusted sources.

Document what happened, how you discovered it, and the steps you took to recover. This documentation helps if you need to file insurance claims, dispute fraudulent charges, or report the incident to law enforcement. It also serves as a personal reference if similar incidents occur in the future, allowing you to respond faster with proven steps.

More in Online Security Basics

Password Reuse Dangers: Why One Breach Compromises Everything Email Encryption Guide: Sending Confidential Messages Secure Online Banking: Protecting Your Financial Accounts Ad Blockers and Privacy Extensions: Browsing Protection Tools

View all Online Security Basics articles →