PanicStation.org
UK USA
uk Technology & digital loss password reset spam • unexpected password reset emails • flood of reset messages • reset email i didn't request • account takeover warning • someone trying to hack my account • email inbox bombing • subscription bombing • lots of security codes • one-time passcode emails • otp messages i didn't request • strange login alerts • my email is being targeted • password reset loop • suspicious account activity • compromised email account • attacker knows my email address • reset link phishing • urgent account security

What to do if…
you get a flood of password reset messages for accounts you did not request

Short answer

Do not click any links in the messages. Secure your email account first (password + 2-step verification), then check for one “real” security alert hiding in the noise.

Do not do these things

  • Do not click “reset password”, “verify”, or “unsubscribe” links inside the emails, even if they look familiar.
  • Do not reply to the messages or call phone numbers shown in them.
  • Do not bulk-delete everything immediately if you can avoid it — attackers sometimes use the flood to hide one important message (like a real password change or purchase).
  • Do not share any security codes (one-time passcodes) with anyone, even someone claiming to be “support” or “security”.
  • Do not turn off 2-step verification to “make it stop”.

What to do now

  1. Pause the flood from turning into a lockout

    • Put your phone on Do Not Disturb for 2 minutes if the notifications are making you rush.
    • Open a new browser tab and type your email provider’s address yourself (or use the official app). Do not use any links from the emails.

  2. Secure your email account first (this is the key account)

    • Change your email password to a long, unique one.
    • Turn on 2-step verification (use an authenticator app where possible).
    • In your email security settings, sign out of other devices/sessions and review recent sign-ins for anything you don’t recognise.

  3. Check for silent takeovers inside your mailbox

    • Look for auto-forwarding or mail rules/filters you didn’t create (for example: “forward all mail to…”, “mark as read”, “archive”, “delete”).
    • Remove any unknown forwarding addresses and delete suspicious rules.

  4. Find the one message that matters

    • Use search in your mailbox for: password changed, new sign-in, security alert, purchase, order, new device, two-factor, login code.
    • Prioritise messages from services that could cause real harm quickly (email provider, banking, payment apps, mobile network, Apple/Google/Microsoft, social media with payment methods attached).

  5. For any account you actually use: verify safely, then change passwords

    • For each important service, open the service by typing its address yourself (or via the official app), sign in, and check:
      • recent logins/devices
      • security settings
      • recovery email/phone
      • active sessions
    • If anything looks off, change that account’s password and enable 2-step verification there too.

  6. Report suspicious messages (UK)

    • If emails look like scams or fake resets, forward them to report@phishing.gov.uk.
    • Mark messages as spam/junk in your email client to improve filtering.

  7. If you see money movement or a real account takeover

    • Contact the affected provider’s support from within their official app/site.
    • If you’ve lost money, been tricked into sharing details, or accounts were accessed through fraud:
      • England, Wales, Northern Ireland: report to Report Fraud (the national fraud/cyber reporting service, often referred to as Action Fraud).
      • Scotland: report to Police Scotland on 101.

What can wait

  • You do not need to “clean up” every single email right now.
  • You do not need to close accounts you don’t recognise today.
  • You do not need to figure out exactly how you were targeted before you secure your email and key accounts.

Important reassurance

A password reset email often only proves someone knows your email address — not that they got into your account. The dangerous moment is when panic makes you click a link, approve a prompt, or share a code. Slowing down and logging in the safe way is the right move.

Scope note

This is first steps only to stop immediate harm and prevent lockouts. If you confirm an account was taken over or money was stolen, next steps may involve provider investigations and formal reporting.

Important note

This is general information, not legal, financial, or technical professional advice. If you’re not sure whether a message is genuine, treat it as suspicious and access accounts only through official apps or addresses you type yourself.

Additional Resources
Support us