What to Do After an Account Is Compromised: Practical First Steps

Written By Daniel Edwards

Discovering that one of your accounts has been compromised can be stressful and disorienting. Many people aren’t sure where to start, and in the rush to “fix everything,” it’s easy to miss steps that actually matter most.

If you suspect or confirm that an account has been accessed by someone else, these are the most important actions to take early.

1. Secure Access Before Making Other Changes

Before changing passwords across multiple accounts, start with the account that appears to be affected and any accounts tied to it for recovery.

This includes:

  • Changing the password to something unique and strong

  • Enabling multi-factor authentication (MFA) if it is not already enabled

  • Reviewing recovery email addresses and phone numbers

If an attacker still controls recovery options, they can often regain access even after a password change.

2. Check for Unauthorized Changes and Activity

Look for signs that settings or permissions were altered, such as:

  • New forwarding rules in email

  • Changes to profile or contact information

  • Login alerts from unfamiliar locations or devices

Understanding what changed helps determine whether the compromise was limited or if other accounts may also be at risk.

3. Protect Linked Accounts

Many services are connected through:

  • Single sign-on

  • Password recovery links

  • Saved credentials on devices

If one account is compromised, others may be exposed as well. Prioritize:

  • Primary email accounts

  • Financial services

  • Cloud storage and social media accounts tied to recovery workflows

4. Scan Devices for Malware or Persistence

If credentials were stolen through malware or browser extensions, changing passwords alone won’t solve the problem.

At minimum:

  • Run reputable antivirus or endpoint protection

  • Review installed browser extensions and remove anything unnecessary or unfamiliar

  • Apply operating system and application updates

In some cases, a more thorough system review may be warranted before restoring full access.

5. Document What Happened

Even in personal incidents, basic documentation can be valuable:

  • Dates and times of suspicious activity

  • Notifications received

  • Accounts affected

  • Steps taken to secure systems

This can help if you need to involve financial institutions, service providers, or legal counsel later.

6. Avoid Overcorrecting in the Moment

It’s common to want to change everything immediately. While some urgency is appropriate, rapid, unplanned changes can:

  • Lock you out of accounts

  • Break recovery processes

  • Complicate later investigation

A measured, prioritized approach is usually more effective.

When to Seek Additional Help

If you notice:

  • Repeated account takeovers

  • Financial impact

  • Data exposure

  • Signs of device-level compromise

It may be worth consulting with a cybersecurity professional to ensure risks are properly contained and not recurring.

Final Thought

Most personal cybersecurity incidents are not the result of highly sophisticated attacks. They are usually caused by reused passwords, phishing, or unsecured recovery settings. Addressing these fundamentals consistently is often the most effective way to reduce long-term risk.

Daniel Edwards
Next

Why Personal Cybersecurity Matters More Than Ever