What to do after account takeover — containment, recovery, and prevention

Account takeover is one of the more disorienting security incidents a person can experience: control of an account you own has been transferred to someone else. The natural response is urgency without structure — try to regain access, change passwords everywhere, post about it online. Urgency without structure usually leaves gaps that allow continued or re-established access.

The critical question after account takeover is not 'how do I change my password' but 'what access does the attacker currently have, and through how many paths.' An attacker who has accessed your email account has not just your email — they have recovery access to every service that uses that email for account recovery. An attacker who has accessed your password manager may have read multiple accounts. The blast radius needs mapping before remediation.

Containment comes before recovery. Changing the password on the compromised account before identifying and closing all attacker access paths may just trigger the attacker to change the email or phone number on the account first, locking you out.

The assumption 'changing my password immediately is the first step' is sometimes correct and sometimes the action that locks you out of your own account. If an attacker has already changed the recovery email or phone number associated with the account, regaining access requires going through the service's account recovery process — which the attacker may have also changed. Before changing a password, verify that your recovery methods (backup email, phone number) are still pointing to you.

A second assumption is that enabling 2FA after a takeover prevents further attacks. 2FA is important and should be enabled. But 2FA on the newly recovered account doesn't address how the takeover happened. If the attack vector was credential stuffing (a reused password from a breach), all other accounts with that password remain vulnerable. If it was SIM swap, the phone number-based recovery is still compromised. Enabling 2FA is one step in a remediation that should also address the root cause.

A third assumption is that the takeover affected only the targeted account. Attackers who successfully access an account often use it as a reconnaissance and pivot point. They may have set up mail forwarding rules, added an authorised application, changed a recovery method quietly to regain access later, or harvested information for attacks on other accounts. Even after you recover the account, auditing what was changed during the attacker's access is important.

The structured response to account takeover: (1) Identify what was compromised — which account, how was it accessed, what data was visible. (2) Recover access through the service's recovery process if you are locked out. (3) Audit account settings immediately on recovery: connected applications, forwarding rules, recovery email and phone, active sessions, authorised devices. Revoke anything you didn't add. (4) Identify connected accounts — what can be accessed or reset through the compromised account? Prioritise those. (5) Change the compromised account's password and enable the strongest available 2FA. (6) Change passwords on any accounts that shared the same password. (7) Determine the attack vector if possible — credential stuffing, phishing, SIM swap — and address it.

If the password manager itself was the compromised account: the priority is vault access recovery (if locked out) and then a comprehensive credential rotation starting with highest-consequence accounts. Vault audit logs, if available, can identify which credentials were accessed.

Prevention: a password manager with unique passwords removes credential stuffing as an attack vector. A hardware key for the email account removes phishing-based email takeover. TOTP (not SMS) for the password manager vault removes SMS-based vault access attacks. Emergency access configured before the incident ensures that vault recovery doesn't require proving identity to customer support that cannot help.

Account takeover response depends heavily on which specific account was compromised and how the attacker gained access. This guide describes a generalised response framework. Specific services have specific recovery procedures, and some types of takeover (SIM swap, social engineering of support teams) require working directly with the service provider and potentially law enforcement.