Someone Took Over Your Account Here Is How To Take It Back

You will see a lot of paid ads promising fast account recovery. Many are scams. Some are worse. No reputable firm is going to ask for your password, your backup codes, or remote control of your device in order to recover a hacked account. Anyone who does is either incompetent or fraudulent.

What Petronella Technology Group does instead is coach you through the recovery workflow the platform itself publishes, preserve the evidence trail needed for insurance, police, or civil action, examine any compromised devices for the root cause, and help you lock the attacker out of everything they might still touch. The actual account recovery request goes in from your hands using your identity documents on the vendor portals. That model is slower than a magic wand but it is the only one that actually works and does not expose you to follow on fraud.

If you hold your own seed phrase for a cryptocurrency wallet, we do not ask for that either. Anyone asking for a seed phrase is stealing the wallet.

For Microsoft, the My Sign Ins portal at myaccount.microsoft.com lets you review recent activity. For Google, look at myaccount.google.com/security. For Apple iCloud, Settings, your name, then Password and Security. For Meta services (Facebook, Instagram), Settings, Security and Login, Where You're Logged In. Most platforms now offer a one click Sign Out Everywhere option. Use it.

List every service linked to the compromised email. Password managers, bank logins, investment accounts, crypto exchanges, cloud storage, payroll, shopping accounts. Anything that uses the compromised email for password resets is also compromised until proven otherwise.

Change passwords on every linked account from the clean device. Generate long random passwords stored in a password manager. Do not reuse a password you have ever used anywhere else.

Enable MFA on every account that supports it. Use an authenticator app or a hardware security key. If the only option is SMS, enable it for now, but plan to upgrade as soon as the service adds a stronger factor.

Check financial accounts. Look at bank transactions, investment account orders, credit card activity, PayPal and Venmo, crypto exchange withdrawal activity, and loyalty point balances. Attackers cash out airline miles, hotel points, and gift card balances almost as often as bank accounts.

Pull credit reports and consider a freeze. A credit freeze at Experian, Equifax, and TransUnion is free and stops new credit from being opened in your name. You can thaw it when you need credit.

Preserve logs and screenshots for the record. Forwarding rules, unfamiliar devices, unfamiliar IP addresses, outbound messages sent during the compromise, and notifications of password changes you did not make. This evidence matters for insurance claims, FBI IC3 filings, and any civil action.

Forensic check of your devices. If the compromise started with malware on your laptop or phone, simply changing passwords does not fix it. Petronella Technology Group can examine the device for keyloggers, info stealers, clipboard hijackers, malicious browser extensions, and remote access tools. Often we find a browser extension that was the pivot point and did not look suspicious to the user.

Review OAuth and app permissions. Look at every third party app that has access to your Google or Microsoft account and revoke anything you do not actively use. A common persistence technique is to authorize a third party mail reader so that even after the password changes, the attacker still has a session token.

Check out of band communication channels. Attackers often change the phone number on the account while they are in so that the victim cannot get SMS recovery codes. Verify that your phone number, recovery email, and security questions are actually yours.

Report to the platform and to law enforcement. Most major platforms have a compromised account reporting form. File FBI IC3 at ic3.gov. If identity theft is involved, also file with identitytheft.gov, an FTC resource that produces an identity theft report you can send to creditors.

Notify your network. If the compromised account was used to message contacts, send a short note letting people know the account was compromised, what dates are affected, and what messages to ignore. Many follow on attacks use the victim's hijacked trust to attack friends and colleagues.

Swap to a password manager permanently. If you were not already using one, start now. 1Password, Bitwarden, and Dashlane are all reasonable options. Turn on biometric unlock and a strong master password.

Google and Gmail. Start at accounts.google.com/signin/recovery. If you have lost access and recovery email and phone have been changed, you can still submit an account recovery form. Answer as many questions as possible from memory, including old passwords and creation date.

Microsoft 365 and Outlook. Start at account.live.com/acsr for personal Microsoft accounts. For work or school accounts, your tenant administrator must initiate recovery.

Apple iCloud and Apple ID. iforgot.apple.com. If you have trusted devices, account recovery can take a day or more for security.

Facebook and Instagram. facebook.com/hacked. Instagram has a similar flow inside the app. Meta now requires identity verification for recovery.

X (formerly Twitter). help.x.com/en/forms/account-access/regain-access.

LinkedIn. LinkedIn compromised account help.

TikTok. In app, Profile, Settings, Report a Problem, Account and Profile, Compromised Account.

Financial accounts. Always call the bank or exchange directly using the phone number on the back of your card or the official app, not a phone number from an email. The fraud team has dedicated workflows for unauthorized access.

Crypto exchanges. For Coinbase, Kraken, Binance US, and other regulated exchanges, open a support case and expect identity verification. If funds have already moved, see our crypto forensics page.

When you hire Petronella Technology Group to investigate a hacked account, typical forensic deliverables include a timeline of compromise, the likely initial access vector with supporting evidence, a list of indicators of compromise (malicious IP addresses, app consent grants, user agents), a list of data accessed or downloaded during the compromise, a list of outbound messages sent from the account, and a prioritized remediation plan.

For Microsoft 365 business accounts we pull the unified audit log, Azure AD sign in logs, mailbox audit logs, and any MDCA or defender telemetry. For Google Workspace we pull the admin audit log and the user's login and mail delegation history. For personal accounts the data is more limited, but combined with local device forensics we usually have enough to answer the key questions.

If the incident turns into a civil matter (for example, a wire fraud case headed to a bank dispute, or an attempted extortion), we deliver the findings in a format counsel can use as an exhibit. We maintain chain of custody on any imaged devices.

Stop using SMS as your primary second factor. SMS is still better than nothing, and some banks and brokerages still require it. But wherever an authenticator app or hardware security key is available, switch to it. A pair of YubiKeys (one primary, one backup) on your email account solves a class of attacks that authenticator apps alone cannot.

Separate your email accounts by purpose. The email address you use to sign up for newsletters and shopping accounts should not be the same address on your bank account, crypto exchange, or medical portal. This is one of the highest leverage security habits a consumer can adopt. If your shopping address gets breached, your financial life is not in the fallout.

Turn on breach alerts. Services like Have I Been Pwned will email you when your address appears in a new credential dump. Most password managers now have this built in. Be ready to act the same day.

Review linked devices quarterly. Make a thirty minute calendar event every three months to walk through active sessions on Google, Microsoft, Apple, and your social accounts. Kick off any device you no longer own or recognize. This is a low effort habit that catches persistence attempts early.

Make a recovery plan for the people in your household. A short printed list of which accounts you hold, where the backup codes live, and who to call if you are incapacitated prevents the panicked version of this same situation later. For families and small businesses this is genuinely underrated.

Protect the phone number itself. Add a carrier PIN or port out protection on your mobile line. Most major US carriers now offer this free, and it is one of the single best defenses against SIM swap attacks that target your accounts through SMS recovery. See our SIM swap recovery page for the full procedure.

File an FTC identity theft report. Go to identitytheft.gov. The site produces an official identity theft report and a personalized action plan. Banks, creditors, and the major credit bureaus all recognize this document.

Place a fraud alert or security freeze on your credit. A fraud alert is a one year warning that anyone extending credit in your name must verify your identity. A security freeze blocks new credit entirely until you lift it. Both are free at Experian, Equifax, and TransUnion. You can apply either online or by calling the number on each bureau website.

Review your Social Security Administration account. Log in at ssa.gov/myaccount. Attackers sometimes redirect benefits or change contact information to intercept future fraud signals.

Check IRS filings. File an IRS Identity Theft Affidavit, Form 14039, if you suspect a tax related identity theft. You can also request an Identity Protection PIN, a six digit number that must accompany any tax return filed in your name.

Watch for secondary scams. Identity theft victims are aggressively targeted for follow on fraud under the guise of recovery help. Petronella Technology Group will never ask you to send cryptocurrency, gift cards, or wire transfers as part of a recovery. No legitimate firm does.

A single compromised Microsoft 365 or Google Workspace account is rarely the end of the story. Attackers routinely use a toehold account to send phishing across the organization, set up inbox rules that forward financial keywords to external addresses, authorize OAuth applications that maintain access even after password reset, and move laterally into SharePoint, OneDrive, and Teams. By the time the user realizes something is wrong, the footprint inside the tenant has often been in place for weeks.

If the account is inside a business tenant, contact the global administrator or your managed service provider first. If you are the owner and there is no IT staff, Petronella Technology Group can be engaged directly as an incident response firm. We will request temporary delegated access to the tenant, pull the audit log, identify every account that was touched, kill active session tokens across the tenant, and remove persistence.

We also review conditional access policies, MFA enforcement, OAuth application consent settings, and mailbox forwarding rules, and we flag weak areas that were almost certainly the way in. Most tenants we see have legacy authentication still enabled somewhere, or have exception users who were excluded from MFA years ago and never reenrolled. That is usually where the breach started.

For regulated organizations (medical practices, defense contractors, financial advisors, law firms), a compromised business email account frequently triggers HIPAA, FINRA, state breach notification, or DFARS reporting obligations. Our incident report is structured so breach counsel can make those decisions from the same evidence pack.

One more thing worth knowing. Attackers who compromise a business email account often sit quietly for weeks watching how the organization invoices, which vendors are in the rotation, and how executives speak to staff. Only then do they send the perfectly timed wire fraud email impersonating a vendor or an executive. By the time you discover the initial compromise, the real target may have been a customer or partner further downstream. Widening the investigation beyond the first victim account is usually the right call, and it costs less than a second breach.

Training your staff on the specific tactics we saw in the incident is another high leverage action. Attackers rarely change their playbook across tenants. The inbox rule that hid the vendor fraud emails, the lookalike domain they registered, and the wording of the malicious messages are all useful teaching artifacts. We include redacted versions in the post incident briefing so your team internalizes what the attack actually looked like, not a generic awareness video.