Account Recovery

  • Have you recently logged into a page, and it didn’t work or sent you to a different page?

  • Have messages been sent from your account that you don’t recognise?

  • Have you started getting a large amount of spam calls, emails or messages?

  • Has someone told you to follow the instructions on this page?

If the answer to any of these questions is yes, it’s possible that your account has been compromised! Whilst this may seem like the end of the world, there are a series of simple steps you can take to minimise the damage.

  1. CHANGE YOUR PASSWORD! This is the most likely way the attackers got in, and therefore is the best way to kick them out

  2. Check to see if any new email addresses have been linked to your account (recovery emails, notification emails, etc). Attackers can use this to reset your password.

Now that you have blocked them out, try to undo any damage they have done:

  1. Check all of your recent messages, and unsend anything you don’t recognise

  2. Make an announcement to all of your contacts (via a post, or messages in a chat), telling them to not click any links you have sent them before now, and to disregard earlier messages.

  3. If there was private information attached to this account, you should treat it as compromised, and plan accordingly. It is unlikely that it will be used (as most attacks are automated), but it’s important to be ready if it is.

  4. If a lot of personal information was attached to the account, you should contact your bank, your mobile services provider, or your school/uni/company, to make sure that they take extra caution with anyone claiming to be you.

You also (probably) want to minimise the risk of this happening again:

  1. Enable two factor authentication wherever possible (also called 2FA, MFA, mobile authentication, email authentication, etc). Most attackers do not plan for this, and doing this will stop 99% of automated attacks. Even for ones who do plan, this gives you an extra chance to notice if something is suspicious.

  2. Enable PINs and passwords for as many services as possible. This means that even if someone has your personal details, they still can’t get in to those accounts.

  3. Check the URL of any website that asks you to login. If it looks even the slightest bit odd or unexpected, don’t fill it in. If it is missing the padlock icon, don’t fill it in. If you’re sure that you have already logged in, don’t fill it in.

  4. Consider using a password manager that generates passwords for you. Whilst it doesn’t stop attackers who steal your password, it does stop those who try to guess it.

  5. Share all of this information (or this page) with anyone who you think could be compromised. This doesn’t just help them, but also limits the spread of these attacks.