PanicStation.org
UK USA
uk Technology & digital loss two-factor changed without me • 2fa method changed notice • mfa changed alert • unauthorized 2fa change • someone changed my authenticator • new phone number on my account • recovery email changed • account takeover alert • security settings changed • hacked account 2fa • locked out after 2fa change • suspicious login notifications • compromise of email account • possible sim swap • someone accessed my account • unexpected security email • verification method replaced • unknown device signed in • reset codes requested

What to do if…
you get a notice that your two-factor authentication method was changed without you

Short answer

Treat this as an account takeover in progress: go directly to the service’s official account-recovery/security page (not from the alert link), regain control, then sign out all devices and lock down recovery options.

Do not do these things

  • Don’t click “review change” links in the alert email/text if you’re even slightly unsure it’s genuine—open the service by typing the address yourself or using your saved official app.
  • Don’t “test” your password in the alert link or in a pop-up prompt.
  • Don’t delay because you’re not sure it’s “serious enough”—2FA changes are often used to lock you out.
  • Don’t reuse an old password or a password you use elsewhere.
  • Don’t ignore your email account: if attackers control your email, they can keep resetting other accounts.

What to do now

  1. Get to a safer login route (no links): Open the service/app directly and go to Security / Account / Login / 2-step verification or Account recovery.
  2. Try to regain control immediately:
    • If you can still log in: change your password to a long, unique one (a password manager helps), then continue.
    • If you can’t log in: use the provider’s official recovery flow (“I can’t access my account”, “Secure my account”, “Recover account”).
  3. Kick out other sessions: In account security, use “sign out of all devices/sessions” (or equivalent). Remove any unknown devices, trusted browsers, and connected apps you didn’t approve.
  4. Reverse the lockout changes (in this order):
    • Restore your 2FA to something you control (prefer an authenticator app, passkey, or security key where available).
    • Replace backup codes (generate new ones) and store them safely.
    • Check recovery options: recovery email(s) and phone number(s)—remove anything you don’t recognise.
  5. Check for persistence tricks (especially if this is email): Look for forwarding, filters/rules, and any delegated access you didn’t set. Remove them.
  6. Secure your email account next (critical): If the affected account is not your email, secure your primary email anyway—attackers often use it to take other accounts next.
  7. If your phone number might be involved: If the alert mentions a new number, or you suddenly lose mobile service / get “SIM changed” messages, contact your mobile network and ask them to check for an unauthorised SIM swap or number transfer, and what extra verification they can add (for example, an account PIN/password and extra checks on SIM swaps/number transfers).
  8. Capture a minimal record while it’s fresh: Note the service name, time of the alert, what was changed, and any device/location details shown. Screenshot the security page if it helps. (Don’t get stuck doing it.)
  9. Report if there’s fraud, threats, or loss: If money was taken, purchases were made, or you were scammed, report it to Report Fraud if you’re in England, Wales, or Northern Ireland. If you live in Scotland or it happened there, report to Police Scotland (101 for non-emergencies). If you’re in immediate danger, call emergency services.

What can wait

  • You don’t need to work out how it happened right now.
  • You don’t need to message everyone immediately—first stop the takeover and secure your email.
  • You don’t need to perfect your security setup today (you can upgrade to security keys/passkeys later once you’re back in).

Important reassurance

This kind of alert is designed to make you panic and click fast. Going slowly—opening the service directly, regaining access, signing out other sessions, and cleaning up recovery methods—is the most effective way to stop the damage.

Scope note

These are first steps to regain control and prevent immediate harm. If the account is business-critical, tied to banking, or you can’t recover it quickly, you may need specialist help from the provider and (if fraud occurred) official reporting routes.

Important note

This is general information, not legal or professional advice. Processes differ by provider and can change. If you’re locked out, use only the service’s official recovery/support channels and be cautious with any messages claiming to “help you recover” your account.

Additional Resources
Support us