PanicStation.org
UK USA
uk Technology & digital loss cloud storage deleting files • files disappearing from drive • unexpected deletion notice • google drive deletion warning • icloud storage deleting photos • onedrive files deleted • dropbox mass delete alert • account takeover suspected • hacked cloud account • someone accessed my cloud storage • shared folder deleted files • sync app deleted files • ransomware changed or deleted files • restore deleted cloud files • cloud recycle bin recovery • version history recovery • suspicious sign-in alert • unauthorised device logged in • email account used to reset passwords • recovery codes lost

What to do if…
you receive a notice that your cloud storage is deleting files and you did not start it

Short answer

Stop the deletion from spreading: sign in to your cloud account on the web, pause syncing on all devices, then secure the account (change password + turn on 2-step verification) and start recovery from the provider’s “Trash/Bin/Recently deleted” and version history.

Do not do these things

  • Don’t keep devices “online and syncing” while you figure it out — syncing can rapidly propagate deletions everywhere.
  • Don’t click links in the deletion email/notification to “confirm”, “stop”, or “appeal” unless you reached the site by typing the address/app yourself (phishing is common).
  • Don’t start deleting more things to “tidy up” — you may overwrite recovery options or confuse the activity trail.
  • Don’t reuse an old password or a “similar” one when you reset it.
  • Don’t assume it’s only the cloud account — if your email is compromised, attackers can keep regaining access.

What to do now

  1. Get to a calmer, controlled login.

    • Use the official app or type the provider’s address into your browser (not a link).
    • If you’re on a shared/work computer, switch to a private window and log out when finished.

  2. Pause/stop syncing everywhere (this is the “stop the bleeding” step).

    • On each computer: pause syncing in the cloud sync app (or sign out of the sync app entirely).
    • On phones/tablets: pause sync/backup for that cloud service, or temporarily disable the app’s access to files/photos.
    • If you can’t reach all devices: focus on the ones that were most recently active.

  3. Check whether the deletion is real and where it’s coming from (provider “activity”).

    • Open the account’s security/activity or recent activity/events page.
    • Look for: unfamiliar sign-ins, unknown devices, mass deletions, a new shared folder collaborator, or an “admin/policy” change (business accounts).

  4. Secure the account immediately (even if you still have access).

    • Change the password to a brand-new, unique one.
    • Sign out of all devices/sessions (many services offer “log out of all devices”).
    • Turn on 2-step verification (prefer an authenticator app or security key if you can).
    • Remove unfamiliar connected apps / third-party access and revoke anything you don’t recognise.

  5. Secure the email account linked to the cloud service (this is often the real weak point).

    • Change your email password and turn on 2-step verification there too.
    • Check for unwanted forwarding rules/filters (attackers may set these to intercept password resets).
    • Review account recovery options (phone numbers, backup email) and remove anything unfamiliar.

  6. Start recovery inside the cloud service (do this before time windows expire).

    • Go to Trash/Bin/Recently deleted and restore the most important folders first.
    • Use version history (or “restore previous versions”) for files that were changed/overwritten rather than deleted.
    • If this is a business/work account, ask your admin to check admin-level recycle bin/audit logs and retention settings.

  7. Take quick records while it’s fresh (helps support and any later reporting).

    • Screenshot: the deletion notice, activity log entries, device list, and any emails about sign-ins or password resets.
    • Write down: approximate time it started, what devices were on, and what folders were affected.

  8. Contact the cloud provider’s support/recovery route if you see account takeover or mass deletion.

    • Use their official help centre “account compromised” / “recover account” path.
    • Ask specifically about: bulk restore, retention/undelete windows, and whether they can halt automated deletion.

  9. If money was lost, extortion was involved, or you believe a crime occurred, report it.

    • England, Wales, Northern Ireland: report cyber crime and fraud to Report Fraud (the national reporting service).
    • Scotland: report to Police Scotland (101 for non-emergencies, or their online reporting options).
    • If there’s immediate danger, call emergency services.

What can wait

  • You do not need to identify exactly how they got in before you secure the account and stop syncing.
  • You don’t need to reorganise your storage, rename folders, or “clean up” anything today.
  • You don’t need to decide whether to change provider right now.
  • You can postpone deeper device checks until your account is secured and your files are recovering.

Important reassurance

This situation is usually automated rather than personal: attackers and malware often trigger mass deletions quickly. Acting in the right order (pause sync → secure account → restore) gives you the best chance of limiting damage and recovering data.

Scope note

These are first steps to stop ongoing loss, secure access, and begin recovery. If this involves a workplace/managed account, your organisation’s IT/security team may need to handle admin logs, retention policies, and incident response.

Important note

This is general information, not legal or professional advice. If you’re unsure about any step, use the cloud provider’s official recovery process and consider getting help from a trusted IT professional—especially if you suspect malware or a wider account compromise.

Additional Resources
Support us