If you suspect an account has been taken over, the first 72 hours are decisive.
Day 1 — contain
- Reset the password from a clean device. Use a long, unique passphrase.
- Enable 2FA (prefer authenticator app or hardware key over SMS).
- Sign out of all sessions and revoke unfamiliar devices.
- Review and remove unfamiliar OAuth/connected apps.
- Check email forwarding rules and filters.
Day 2 — widen
- Reset passwords on accounts that share credentials.
- Check critical accounts for new logins and password changes.
- Notify your bank if any payment surface was exposed.
- Place a fraud alert with credit bureaus if PII was exposed.
Day 3 — document
- Build a clean evidence pack: timeline, screenshots, account IDs, IPs.
- File a report at ic3.gov and your local police if appropriate.
- Save case numbers and reference IDs in one place.
Habits that prevent the next incident
- A reputable password manager.
- Hardware-key 2FA on critical accounts.
- A separate "sign-in" email used only for password resets.
Disclaimer: Educational only.