Chykalophia Docs
Security

What to do if an account is compromised

A calm, step-by-step guide to recovering a hacked email, social media, hosting, or other business account — and locking down everything else.

securitytroubleshootingintermediate

Realizing that someone has gotten into your account is genuinely unsettling. Please take a breath. You can recover from this. The key is to act systematically rather than in a panic, and to work through the steps in the right order.

This guide applies to any account: email, social media, your hosting account, your domain registrar, and more.

Quick summary

If an account is compromised: get back in as quickly as possible (use account recovery if needed), change the password immediately, turn on 2FA, check for any settings changes the attacker made, then scan related accounts. Email is the most critical account to secure first — it's how everything else resets.

Signs that an account has been compromised

  • You receive a login notification for a device or location you don't recognize
  • You're suddenly locked out of an account
  • Colleagues, customers, or followers report receiving strange messages from you
  • You find emails in your sent folder that you didn't send
  • Your social media account is posting things you didn't post
  • Your account settings, payment details, or email address have been changed

Your first priority: regain access

If you've been locked out, go through the official account recovery process immediately. Don't delay.

If the attacker changed your recovery email or phone number, account recovery can take longer. Most platforms have a process for this — it usually involves verifying your identity through other means.

Step 1: Change your password immediately

Once you're back in, change the password to something strong and unique — use your password manager to generate one. See How to create strong passwords.

Step 2: Enable two-factor authentication right now

If 2FA wasn't on before, turn it on now before doing anything else. This is what stops the attacker from getting back in even if they still have your password.

See How to set up two-factor authentication.

Step 3: Check and reverse any changes the attacker made

Attackers often make changes to maintain access even after you change your password. Check everything:

Review account settings. Look for any changes to your recovery email, phone number, name, or contact information. Change anything suspicious back.

Check for email forwarding rules. In Gmail: Settings → See all settings → Forwarding and POP/IMAP. In Outlook: Settings → Mail → Rules. Delete any rules you didn't create — especially ones that forward all your email to an outside address.

Check connected apps and sessions. Most accounts show you what apps have access and what devices are currently logged in. Revoke access for anything you don't recognize.

Review recent activity. Look at sent messages, posted content, or activity logs for anything you didn't do. Note the approximate times — this helps you understand what was accessed.

Check payment methods. If the account has payment information attached (hosting, domains, advertising accounts), verify it hasn't been changed.

If the compromised account is your email, this is especially urgent. Email is used to reset passwords for every other account. An attacker with access to your email may have already used it to gain access to other accounts.

Work through your most important accounts:

  1. Your password manager (if you use one)
  2. Your website and hosting account
  3. Your domain registrar
  4. Financial accounts (banking, Stripe, PayPal)
  5. Social media accounts
  6. Cloud storage (Google Drive, OneDrive, Dropbox)

Check each one for unusual activity. Change passwords anywhere you used the same password as the compromised account.

Step 5: Check devices for malware

If an attacker had access to your email, they may have used it to send you a malicious email that installed malware. Or the account may have been compromised through malware on your device.

Run a malware scan on any device you use for that account. See Malware & your website explained.

Step 6: Tell the people who need to know

Depending on what was accessed, you may need to notify:

  • Your team — especially if the account was a shared one or if they received suspicious messages from you
  • Customers or contacts — if the attacker sent messages from your account to your contacts
  • Your bank or payment processor — if financial information was potentially exposed
  • A data protection authority — if customer personal data was involved (this may be legally required — consult a lawyer)

Financial fraud: act within hours

If any financial account was accessed or if fraudulent transfers occurred, call your bank immediately. Fraud reversals are time-sensitive — hours matter.

Specific guidance by account type

Email is the highest-priority account because it controls everything else. After regaining access:

  • Check forwarding rules and delegated access
  • Look at your sent folder for messages you didn't send
  • Check whether the attacker used your email to reset passwords elsewhere
  • Enable 2FA if it wasn't already on
  • Review devices with access to your account and sign out unfamiliar ones
  • Revoke access for all third-party apps the attacker may have authorized
  • Check and remove any posts, follows, or messages the attacker made
  • Notify your followers if inappropriate content was posted
  • Re-enable any safety features the attacker turned off
  • On Facebook/Instagram: use their dedicated "Hacked account" recovery path
  • Change your hosting account and control panel passwords immediately
  • Check for any new domain redirects, new user accounts, or changed DNS settings
  • If your domain was involved, enable domain lock (registrar lock) to prevent transfers
  • Contact us — we can review your hosting environment for changes
  • See Securing your domain name
  • Call your bank or payment processor immediately if you suspect fraud
  • Review recent transactions and dispute any you don't recognize
  • Change billing email, password, and enable 2FA
  • Check if any payment methods were added or changed
  • Report fraud to the FTC at reportfraud.ftc.gov (US) or your local equivalent

Common questions

Need a hand?

If you're stuck, email support@chykalophia.com and we'll help. Include your website address and a screenshot if you can.

Learn more

What to do if your site is hacked

A calm, step-by-step guide to recovering your website after a hack — what to do first, how to clean up, and how to prevent it happening again.

Malware & your website explained

What malware is, how it gets onto websites, what it does when it's there, and how to get it removed.

On this page

Signs that an account has been compromisedYour first priority: regain accessStep 1: Change your password immediatelyStep 2: Enable two-factor authentication right nowStep 3: Check and reverse any changes the attacker madeStep 4: Secure related accountsStep 5: Check devices for malwareStep 6: Tell the people who need to knowSpecific guidance by account typeCommon questionsRelated guidesLearn more
What to do if an account is compromised | Chykalophia Docs