Regaining Control

So you’re pretty sure your account has been compromised.  Don’t panic. This fucking sucks and can be a longer process but accounts can be locked down if still accessible and can be regained if they’ve been taken over or shut down from the outside. The thing we encourage the most is to communicate when an attack or hack happens. The process of being impersonated or attacked online can be isolating and it’s easy to slip into feeling shame around being the person whose information has been compromised. None of us has perfect security. We’re all constantly building better practices and learning new tactics.  Sharing information keeps us all safer as well as giving you access to the resources and knowledge of your particular community. Plus, this process can be a huge time suck and bringing trusted folks on board to help with it can mean the difference between doable and just a giant unclimbable mountain of tasks.

Are you able to access the accounts?

  • Many email providers have a “log out of all other active sessions” button – hit this right away, then start your longer process of securing your account, starting with a password change.
  • The first thing to do is get your accounts locked down. Don’t just secure the account in question, look at your network of accounts and tighten security on any additional accounts that may be connected (shared usernames, email address as login, etc).
    • Change your passwords (yes, all of these connected accounts)! Length is the best indicator of a strong password – we recommend a random combination of words, but for more tips take a look at our password guide.
    • Enable 2 Factor Authentication. We’ve got a breakdown of some of the benefits and drawbacks of different options for 2FA on this site, but when you’re concerned about being hacked in the immediate, enable it on every account it’s an option on even if it’s just SMS verification.
    • Look at your accounts and see what information is accessible on them. If you’re getting login attempts but no logins, ideally none of your information has been accessed yet. Even if it has, closing off exposing any more information than has already been exposed is a good way to go. Do you have 10 years of emails or a giant stash of photos? When time is of the essence, you can mass export everything on your account, clean it out, then sort out what you need and don’t need to keep offline.
    • With behemoth services like Google, there can be a lot of hidden data caches. Try and go through everything associated with an account. Be as methodical as you can and remember that even if you haven’t actively used a service, it may have still pulled information that can be useful to adversaries. Contacts are a prime example of this.
  • We do not recommend closing accounts at this time. Nearly all major services leave a grace period to recover deleted or deactivated accounts, with fedbook waiting 14 days to begin deletion with the deletion process taking up to an astounding 90 days to complete. In some cases (like gmail), when 2 factor authentication has been enabled for the login process, it has been removed from the reactivation process. Also, remember that some sites (like yahoo) allow reuse of usernames and if you take your account down an adversary may be able to impersonate you or even use a remade address to get into an account it was listed as the recovery contact for.
  • Check for logs on account access and save them, whether through exporting or taking a screenshot. Tracking the IP addresses can give tech-minded friends a starting place as well as let us develop a better map of attack vectors and threats.
  • Check the settings on your email after an incident. Attackers may have left your access to an account intact but put in backdoors for themselves. Make sure that emails aren’t being forwarded, that your replyto information hasn’t been tampered with and that no other account access has been given. Really, what you want to look for here is any email address listed in your settings that isn’t your email address.
  • Check for any sent mail, including in the trash. Save everything and keep a log of what was done with your account. Get in touch with anyone contacted by the intruder and keep track of any messages they may have sent back. So much personal information is stored in accounts that we’ve seen adversaries be extremely convincing and manipulative when interacting with unknowing friends.
  • Take stock of what information was in the compromised account. What information can be pulled from your saved information? Whose contact details were in the account? What work might be at risk and is there any physical danger or legal risk that could arise in the immediate future?

Are you unable to access your account?

  • If just the password has been changed, you may still be able to gain access through the recovery process.
  • If you’re locked out of a recovery process, it’s time to work on regaining access to the account or getting it taken down. Depending on the service, this can be a lengthy process. Sharing information with everyone connected to the account so they’re not fooled by any messages and can remove themselves from social media friends lists is crucial during this process.
  • Some sites have fairly straightforward reporting/regaining access processes but others will throw up roadblocks. Don’t be discouraged at this point – there are still options.
  • Common account solutions:
    • Facebook
      • There’s a pretty straightforward reporting tool for accounts that have your name attached to them. You can report from the page itself if you have an account you can access or go to to report impersonation without an account. We’ve seen turnaround of under 24 hours with this tool, so it’s a great first option for compromised or new impersonating accounts.
      • If that doesn’t work or if you have a pseudonym on your account that means Facebook won’t help you, it’s going to be a little bit harder. This is a stage that’s good to tag in friends to help out with alerting people. Contact everyone that’s friends with the compromised or fake account. Ask them to report the account for impersonation, for being fake, really just report it over and over. They need to remove “your” account as a friend to stem the flow of information. If circumstances allow this, ask them to post that your account has been compromised and is not you to get info out there more quickly.
      • While you do all those things, it’s also good to start the process of making person-to-person contact with support. We’ve had mild success using the language of “stalking” and “harassing” when working to get accounts taken down and recommend working with the support humans wherever possible.
    • Gmail
      • Gmail sucks to recover/takedown, full stop. If you’ve gone through every available recovery option and are still locked out, it’s going to be a bit of a fight.
      • Have anyone that receives an email from the account save the email, export it if possible, and report it for phishing. This has some potential for long-term success – if every time an account emails it’s reported, gmail will theoretically take it down.
      • Start the contact process through the Google help forums – they don’t have a number to call and it’s fairly difficult to get a constructive human on the phone but it’s worth opening the door.
      • What we’ve actually seen be effective is coming at it from the human side rather than the tech side. We’ve seen account access regained through a combination of heavy documentation, finding a direct contact at Google, and having a lawyer be down to work on them.
  • By and large, the strategy that works best is – contact connected people. Report everything you can on the account. Start talking to humans at whatever email or network it is. Use the language of stalking and harassment because it’s something that a lot of these places may have experience of dealing with. Be ready for this to be a community effort and know that it might take some time to get the results you need.
  • We suggest that as you regain control of accounts, the steps at the beginning of this guide be followed – log information, figure out who needs to be contacted, lock down your security.