Account Compromise¶

Someone has gained unauthorized access to your email, social media, cloud storage, or other online accounts. This often leads to further attacks like business email compromise or data theft.

Immediate Actions (First Hour)¶

Regain access if possible - Use "forgot password" with a known-safe recovery method
Enable 2FA immediately - Even if you regain access, enable two-factor authentication
Check for forwarding rules - Attackers often set up email forwarding to maintain access
Review connected apps - Revoke access for any suspicious third-party applications
Alert your organization - Others may have received malicious emails from your account

Account-Specific Recovery Guides¶

Google / Gmail¶

Recovery: accounts.google.com/signin/recovery
Security checkup: myaccount.google.com/security-checkup
Review activity: myaccount.google.com/device-activity
Check forwarding: Gmail Settings → Forwarding and POP/IMAP

Microsoft 365 / Outlook¶

Recovery: account.live.com/password/reset
Security dashboard: account.microsoft.com/security
Review sign-ins: mysignins.microsoft.com
Admin portal (M365): Check Inbox rules, delegates, mobile devices

Apple ID / iCloud¶

Recovery: iforgot.apple.com
Security keys: support.apple.com/en-us/HT212196
Review devices: Settings → [Your Name] → Devices

Facebook/Meta: - Hacked account: facebook.com/hacked - Security checkup: facebook.com/privacy/checkup

Instagram: - Hacked account: help.instagram.com/368191326593075 - Security: Settings → Security → Login Activity

LinkedIn: - Hacked account: linkedin.com/help/linkedin/answer/56363 - Sessions: Settings → Sign in & security → Where you're signed in

Twitter/X: - Hacked account: help.twitter.com/en/safety-and-security/twitter-account-hacked - Apps: Settings → Security and account access → Apps

Check If Your Credentials Were Leaked¶

Have I Been Pwned¶

Website: haveibeenpwned.com
Check if your email appears in known data breaches
Sign up for notifications of future breaches

Firefox Monitor¶

Website: monitor.firefox.com
Similar breach monitoring service

DeHashed (Advanced)¶

Website: dehashed.com
Search by email, username, IP, name, etc.
Some features require subscription

Securing Your Account After Recovery¶

Enable Strong Two-Factor Authentication¶

Best to worst options:

Hardware security key (YubiKey, Google Titan) - Phishing resistant
Authenticator app (Google Authenticator, Microsoft Authenticator, Authy)
SMS codes - Better than nothing, but vulnerable to SIM swapping

Free Security Keys¶

Yubico Secure it Forward: yubico.com/secureitforward - Free keys for at-risk individuals

Password Manager Setup¶

Bitwarden: bitwarden.com - Free, open source
1Password: 1password.com - Free for families of journalists
KeePassXC: keepassxc.org - Free, offline, open source

What Attackers Do With Compromised Accounts¶

Be vigilant for these follow-on attacks:

Business Email Compromise (BEC) - Sending fraudulent invoices or payment requests
Lateral movement - Using your account to attack colleagues
Data theft - Accessing files, contacts, sensitive information
Reputation damage - Posting inappropriate content
Password reset attacks - Resetting passwords on other services

Evidence to Preserve¶

[ ] Login activity logs (screenshots)
[ ] Forwarding rules or filters (before removing them)
[ ] Connected apps list
[ ] Any messages sent by the attacker
[ ] Timestamps of suspicious activity

Guides & Documentation¶

EFF Surveillance Self-Defense¶

Account Security: ssd.eff.org
Comprehensive account protection guide

Security in a Box¶

Account Compromise: securityinabox.org/en/communication/account-compromised
Step-by-step recovery guide

Google Advanced Protection Program¶

For high-risk users: landing.google.com/advancedprotection
Strongest account security available

Need Help?¶

If you're a Swedish organization dealing with account compromise affecting your business:

Apply to HackAid - Our volunteers can help investigate the scope and impact.

Last updated: 2026-01