A compromised account does not always look dramatic.
Sometimes you are not locked out.
Sometimes your password still works.
Sometimes the only clue is a strange login alert, a message you did not send, a new device in the account settings, a recovery email you do not recognize, or a friend asking why you sent them a weird link.
That is what makes account takeover stressful.
You may still be inside the account while someone else is also inside.
The right response is not panic.
The right response is a careful security check.
This guide shows where to look, what to remove, and how to close the door properly.
Start with the most important accounts
If you are worried someone is logged in somewhere, do not check random apps first.
Start with accounts that can unlock other accounts or cause financial harm.
Check in this order:
Email account
Phone account or mobile carrier account
Password manager
Banking and payment apps
Main social media accounts
Cloud storage
Shopping accounts with saved cards
Work or school account
Government, tax, or benefits accounts
Messaging apps
Email is especially important because it is often used to reset passwords elsewhere.
If someone controls your email, they may be able to take over many other accounts.
Step 1: Look for recent account activity
Most major accounts have a security area that shows recent activity.
Look for menu names like:
Security
Privacy and security
Login activity
Recent activity
Devices
Sessions
Where you are logged in
Account access
Sign-in history
Active sessions
Connected devices
Review:
Device type
Browser
Location
IP address, if shown
Time of login
Failed login attempts
Successful sign-ins
Password changes
Recovery changes
New app connections
Security alerts
Do not panic if the location is slightly wrong.
Login locations can be approximate, especially with mobile networks, VPNs, travel, or internet providers.
Look for the full pattern.
An unknown device, strange country, odd time, new browser, and security change together are more concerning than one approximate city.
Step 2: Check signed-in devices
The signed-in devices list shows where your account is currently or recently active.
Look for:
Old phones
Old laptops
Shared computers
Work devices
Public computers
Unknown phones
Unknown tablets
Browsers you do not use
Devices from places you have not visited
Devices active at impossible times
Duplicate-looking devices you cannot explain
If you see a device you do not recognize, do not ignore it.
Take a screenshot for your record.
Then prepare to sign it out.
Step 3: Sign out of unknown devices
Many accounts let you sign out of one device or all devices.
Use the strongest option available if you suspect compromise.
Look for:
Sign out
Remove device
Log out of all sessions
Sign out everywhere
Revoke access
End session
Remove trusted device
If you are not sure which device is yours, sign out of all devices and log back in only from your current trusted device.
This may be inconvenient.
But it is safer than leaving an unknown session active.
Important:
Sign out first if the account lets you. Then change the password immediately.
Some services also automatically sign out other sessions after a password change, but do not assume that. Use the explicit sign-out option when available.
Step 4: Change the password
After removing unknown sessions, change the password.
Use a password that is:
New
Long
Unique
Not used anywhere else
Not a small variation of the old one
Stored in a password manager, if you use one
Do not reuse a password from another account.
If the old password was used elsewhere, those other accounts may also be at risk.
Change them too, especially if they share the same email address.
A password manager can help you create different strong passwords without memorizing all of them.
Step 5: Turn on stronger MFA
Multi-factor authentication, also called MFA or two-factor authentication, adds another step beyond the password.
Turn it on where available.
Common options include:
Authenticator app
Passkey
Security key
Backup codes
Email code
SMS code
For important accounts, prefer stronger options when available, such as authenticator apps, passkeys, or security keys.
SMS codes are better than no MFA, but they can be weaker than app-based or device-based options.
After turning on MFA, save backup codes in a safe place.
Do not store backup codes only inside the same account they protect.
Step 6: Check recovery email and phone number
Attackers often change recovery settings so they can return later.
Check:
Recovery email
Recovery phone number
Backup codes
Security questions
Trusted devices
Authenticator apps
Passkeys
Security keys
Account recovery contacts
Alternate email addresses
Linked accounts
Remove anything you do not recognize.
Update old recovery details.
If your recovery phone number is old or your recovery email is abandoned, fix it now.
A secure password does not help much if someone can recover the account through an old address.
Step 7: Check third-party app access
Some account takeovers continue through connected apps.
Look for:
Connected apps
App permissions
Third-party access
Linked services
Authorized apps
OAuth access
Extensions
Integrations
Account connections
Remove anything you do not recognize or no longer use.
Be especially careful with apps that can access:
Email
Files
Contacts
Calendar
Messages
Cloud storage
Payment information
Social media posting
Account profile
An attacker may not need your password if a malicious connected app still has permission.
Step 8: Check forwarding, filters, and rules in email
Email accounts need extra attention.
If your email was accessed, check for hidden changes.
Look for:
Forwarding addresses
Mail filters
Rules
Blocked senders
Allowed senders
Auto-replies
Signature changes
Deleted messages
Sent messages
Trash
Archive
Recovery messages
Password reset emails
Security alert emails
Attackers may create a forwarding rule so they continue receiving your messages.
They may also create filters that hide security alerts or bank emails.
Remove rules you did not create.
Then search your email for terms like:
Password reset
Security alert
New login
Verification code
Recovery
Changed password
Added device
Payment
Bank
Delivery
Gift card
This helps you see what the attacker may have tried.
Step 9: Check account settings for quiet changes
Someone inside your account may change settings quietly.
Review:
Name
Profile photo
Username
Email address
Phone number
Shipping address
Billing address
Saved cards
Default payment method
Subscriptions
Family sharing
Account delegates
Login methods
Privacy settings
Public posts
Recent purchases
Saved addresses
Authorized users
Recovery settings
For shopping accounts, check orders and saved addresses.
For social media, check sent messages, posts, linked apps, and account email.
For banking and payments, check transactions and linked devices immediately.
Step 10: Check for messages you did not send
Look at:
Sent email
Social media messages
Messaging app chats
Comments
Posts
Marketplace messages
Account notifications
Shared file links
Calendar invites
Contact requests
If someone sent scam messages from your account, warn affected contacts.
Use a short message:
“My account was accessed without permission. Please ignore any recent links, payment requests, or unusual messages from me. I have changed my password and secured the account.”
Do not include suspicious links in your warning.
Step 11: Check financial damage
If the account connects to money, check quickly.
Review:
Bank transactions
Card charges
Payment app activity
Shopping orders
Gift card purchases
Subscription changes
Refund destination
Saved payment methods
New addresses
New payees
Money transfers
Crypto activity
Loan or credit applications
Credit report alerts, if relevant
If you see unauthorized activity, contact the bank, card issuer, payment provider, or financial institution immediately.
Do not wait for the account-security review to be perfect.
Financial accounts need fast action.
Step 12: Secure the device you are using
If your password keeps getting changed or suspicious activity continues, the device itself may be a problem.
Use a trusted device if possible.
Then:
Update your operating system.
Update your browser.
Update security software.
Remove unknown browser extensions.
Remove unknown apps.
Run a security scan if available.
Check for remote-access apps you did not install.
Avoid using public or shared computers.
Restart the device after updates.
Change passwords from a trusted device.
If you suspect serious malware or spyware, get professional help or use another trusted device for recovery.
Changing passwords from a compromised device may not solve the problem.
Step 13: Review saved passwords
If one password was reused, the risk spreads.
Check whether the same password was used for:
Email
Social media
Shopping
Streaming
Cloud storage
Work tools
Banking
Payment apps
Delivery apps
Forums
Old accounts
Change reused passwords.
Start with email, financial accounts, and accounts with saved cards.
Use unique passwords for every important account.
Step 14: Check account alerts
Turn on alerts where useful.
Examples:
New login alert
Password change alert
Payment alert
Large transaction alert
New device alert
New payee alert
New address alert
Security setting change alert
Recovery email change alert
Purchase confirmation
Money transfer alert
Alerts do not prevent every problem.
But they can tell you when something changes.
Make sure alerts go to an email and phone number you control.
Step 15: Save proof of suspicious activity
Before deleting everything, save basic proof.
Take screenshots of:
Unknown device
Unknown login
Security alert
Changed recovery email
New forwarding rule
Unauthorized purchase
Suspicious message
Connected app you did not approve
Unknown address
Password reset email
Case number from support
You may need proof for:
Account recovery
Bank dispute
Platform support
Police report, if serious
FTC report
Employer or school IT
Identity theft recovery
Insurance claim, if applicable
Do not share sensitive screenshots publicly.
Keep them in a secure folder.
Step 16: Contact platform support if needed
Contact official support if:
You cannot sign out unknown devices.
You cannot remove recovery options.
You cannot change the password.
The attacker changed the email or phone.
The account is locked.
Unauthorized purchases happened.
Your account is posting or messaging without control.
You lost access after trying to recover it.
MFA was changed without your permission.
Use official support pages only.
Be careful of fake “account recovery” services. Scammers often target people who are already worried.
Do not pay strangers who promise to hack back or recover accounts through unofficial methods.
Step 17: If it is a work, school, or shared account
If the account belongs to work or school, or stores work data, contact the IT or security team immediately.
Do not try to hide it.
They may need to:
Revoke sessions
Reset credentials
Check logs
Remove malicious rules
Inspect devices
Warn other users
Protect company or school data
Disable risky app access
Fast reporting helps reduce damage.
Step 18: Watch the account for a week
After securing the account, keep watching.
For the next 7 days, check:
New login alerts
Password reset attempts
Recovery changes
Unknown devices
New connected apps
Financial activity
Messages sent
Email forwarding
Deleted messages
New subscriptions
Shopping orders
Cloud file sharing
Account notifications
If suspicious activity returns, repeat the review from a trusted device and contact support.
A realistic example
A reader receives a login alert from a city they do not recognize.
They can still access the account.
Instead of ignoring it, they open account security settings.
They find an unknown browser session from two hours earlier.
They take a screenshot, sign out of all devices, change the password, turn on authenticator-app MFA, remove an old recovery email, and check email forwarding rules.
Then they search sent messages and find a scam link sent to three contacts.
They warn those contacts.
They check payment apps and shopping accounts connected to that email.
No charges appear.
For the next week, they watch login alerts.
The problem is contained because they acted quickly and checked the whole account, not only the password.
The account takeover checklist
If you think someone else is logged in:
Start with email, phone, password manager, financial, and main social accounts.
Check recent activity and sign-in history.
Review signed-in devices and active sessions.
Screenshot unknown devices or logins.
Sign out unknown sessions.
Use “sign out everywhere” if available.
Change the password from a trusted device.
Use a new, long, unique password.
Turn on MFA.
Prefer authenticator app, passkey, or security key where available.
Save backup codes safely.
Check recovery email and phone number.
Remove recovery options you do not recognize.
Review connected apps and third-party permissions.
Check email forwarding, filters, rules, sent messages, and trash.
Review profile, payment, shipping, privacy, and account settings.
Check for messages, posts, or purchases you did not make.
Contact banks or payment providers immediately for unauthorized transactions.
Update your device and remove unknown apps or browser extensions.
Change reused passwords on other accounts.
Turn on login and security alerts.
Contact official platform support if you cannot secure the account.
Warn contacts if scam messages were sent from your account.
Monitor the account for at least a week.
Final thought
When you suspect account takeover, changing the password is important, but it is not the whole job.
You also need to check who is logged in, remove unknown sessions, review recovery settings, remove suspicious app access, check email rules, look for messages or purchases you did not make, and turn on stronger MFA.
The goal is to close every door the intruder may have used.
Act calmly, use official settings, save proof, and start with the accounts that can unlock everything else.
Reader Discussion
Comments
Comments are reviewed before appearing publicly.Reader comments