PanicStation.org
UK USA
uk Technology & digital loss trusted device removed alert • backup email removed • recovery email removed • security alert device removed • account takeover warning • someone changed my security settings • suspicious account alert • hacked email account • locked out of my account • unexpected sign-in notification • recovery options changed • two-step verification changed • attacker still logged in • phishing security alert • my phone number removed • compromised account settings • sign out of all devices • remove unknown devices • email forwarding turned on • mailbox rules changed

What to do if…
you receive an alert that a trusted device or backup email was removed from your account

Short answer

Treat it as a possible account takeover: go to the service by typing the address or using the official app (not the alert link), sign in, and immediately secure the account (change password + sign out of other sessions + restore recovery options).

Do not do these things

  • Don’t click buttons/links in the alert if you’re even slightly unsure it’s genuine.
  • Don’t “test” passwords repeatedly if you’re being locked out — switch to the provider’s recovery flow instead.
  • Don’t keep using the same device if you suspect it’s infected (pause and use a different, trusted device if possible).
  • Don’t assume “I still have access, so it’s fine” — attackers often keep a session open even after you change some settings.
  • Don’t rush into paying anyone offering “account recovery” via DMs, ads, or cold calls.

What to do now

  1. Pause and verify the alert safely (without using its links).
    Open your browser/app and navigate to the account provider in the usual way (typed address, bookmark you already trust, or the official app). Then find Security / Recent activity / Devices / Recovery in account settings.

  2. If you can still sign in: lock the attacker out first.

    • Change your password immediately (use a new, unique one you haven’t used anywhere else).
    • Use the provider option to sign out of all devices / end all sessions.
    • Review devices and remove anything you don’t recognise.

  3. Restore and protect your recovery options.

    • Re-add your backup email and trusted devices (and remove any that aren’t yours).
    • Check if 2-step verification / MFA was changed; turn it on (or re-enable it) using an authenticator app or security key if you can.

  4. Check for “silent persistence” settings that let attackers regain access.
    In your email/account settings, look for and remove anything you didn’t set up:

    • Mail forwarding / redirect addresses
    • Rules/filters that auto-delete, archive, or forward messages
    • Connected apps / third-party access (revoke anything unfamiliar)

  5. Secure the places attackers use to reset everything: your email and phone number.

    • If the affected account is your email account, securing it is the top priority (it can reset other accounts).
    • If you suspect your mobile number could be compromised (SIM swap, call/SMS forwarding), contact your mobile network provider and ask them to confirm there are no unusual changes or forwarding services active.

  6. If you can’t sign in: use the provider’s official recovery process immediately.
    Use the provider’s account recovery pages inside the official site/app. If you still have any signed-in device, look for options like “This wasn’t me”, “Secure your account”, or Account recovery.

  7. Capture basic evidence while it’s visible.
    Take screenshots of the alert and any “recent security events” screen showing dates/devices/changes. Save them somewhere safe (not only inside the compromised account).

  8. If you think the alert might be phishing, report it and avoid engaging.

    • Forward suspicious emails to report@phishing.gov.uk.
    • Forward suspicious text messages to 7726 (free).
      If you’ve already clicked/responded and have been hacked or lost money, keep going with the steps above and report the incident via official channels.

  9. If money, benefits, or identity details might be at risk, escalate.

    • If you think this is part of fraud (e.g., payment accounts accessed, invoices diverted, new payees added), contact the relevant provider/bank immediately via their official number.
    • For cyber crime and fraud reporting: use Report Fraud (Action Fraud) online. If you’re in Scotland, report via Police Scotland on 101.

What can wait

  • You do not need to figure out how they got in right now.
  • You do not need to message all contacts immediately — first stop ongoing access and check for forwarding/rules.
  • You do not need to delete your account or wipe your devices in a panic.
  • You can review password managers, long-term clean-up, and broader security later — focus on regaining control and ending sessions.

Important reassurance

This alert often feels like a sudden loss of control, but it’s a solvable situation. Acting in a calm order — official login → end sessions → restore recovery → check forwarding/rules — is the fastest way to stop ongoing harm.

Scope note

These are first steps to stabilise the account and prevent immediate damage. If the account controls work systems, banking, or many linked services, you may need additional specialist support from the provider or your organisation after you regain control.

Important note

This guide is general information, not legal or professional advice. Account providers’ screens and recovery steps can differ; follow the official process inside the service you use and avoid third-party “recovery” offers.

Additional Resources
Support us