'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
you see new access tokens, API keys, or app connections created that you did not create
Short answer
Assume someone still has access: revoke the unknown tokens/app connections immediately, then secure the “root” account (your email/SSO) and rotate any keys that could access systems.
Do not do these things
- Don’t “wait and see” or leave the new token/app connection active while you investigate.
- Don’t delete logs, alerts, or evidence (you may need them to understand scope and persistence).
- Don’t rotate everything at once if it will break access or lock you out—keep one known-good admin path working.
- Don’t reuse old passwords or “minor variations” of a password you’ve used before.
- Don’t keep doing admin/security actions from a device you suspect is compromised.
What to do now
-
Get to a safer control point.
If you can, switch to a different (known-clean) device and sign in by typing the service address yourself (avoid links in messages). -
Revoke the specific things you didn’t create (first).
- Revoke/disable the new access token(s) and API key(s).
- Remove the unknown connected app(s) / OAuth authorisations.
- If this is a work system, contact your admin/IT/security contact and ask them to revoke your sessions/access while you stay on the call/chat.
-
Invalidate sessions so the attacker is kicked out.
Use options like “sign out of all devices”, “revoke sessions”, or “log out everywhere.” (This matters because tokens/sessions can keep working even after a password change.) -
Secure your email/SSO account (because it resets everything else).
- Change the email/SSO password.
- Check for mail forwarding, inbox rules/filters, and recovery email/phone changes you didn’t make.
- Turn on 2-step verification for email/SSO if it isn’t already on.
-
Secure the affected platform account.
- Set a new, unique password.
- Turn on 2-step verification (prefer an authenticator app or security key if available).
- Review trusted devices/sessions and remove anything unfamiliar.
-
Pause anything that could keep leaking secrets.
If you have automation (CI/CD, build agents, scripts, integrations): pause deployments and disable affected pipelines/integrations until secrets are rotated and you’ve checked for malicious changes. -
Rotate credentials in a controlled order (second wave).
Prioritise anything with broad or money/data access: cloud access keys, production database credentials, deploy keys, payment/finance integrations, and any “admin” API keys. Replace with new credentials and update dependent services one by one to avoid outages. -
Check audit/activity logs for persistence and scope.
Look for: new users, new MFA methods, new SSH keys, permission/role changes, new webhook destinations, changes to billing/payout settings, or disabled alerts. Save screenshots/exports if available. -
If personal data might be involved, start breach triage early.
For organisations: record a simple timeline (what you saw, when you saw it, what you changed). If you believe a personal data breach may be notifiable, the UK process commonly involves reporting to the ICO within 72 hours of becoming aware (even if details are still emerging).
What can wait
- Determining the exact initial cause (phishing vs reused password vs stolen session/token vs malicious OAuth consent).
- Writing a perfect report. A simple timeline and screenshots/log exports are enough for now.
- Long-term improvements (secret managers, policy redesign). Stabilise first.
Important reassurance
Attackers often create tokens or connect apps so they can come back even after you change a password. Revoking tokens/app access and invalidating sessions is the fastest way to cut them off, and it’s normal to need a second pass after you review logs.
Scope note
These are first steps to regain control and reduce harm. If production systems, customer data, or money-moving accounts were reachable, you may need deeper investigation and specialist support.
Important note
This guide is general information, not legal or professional advice. If this involves a workplace, regulated data, or significant customer impact, follow your organisation’s incident process and get appropriate professional support.
Additional Resources
- https://www.ncsc.gov.uk/guidance/recovering-a-hacked-account
- https://www.ncsc.gov.uk/files/recovering-hacked-accounts-infographics.pdf
- https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/personal-data-breaches-a-guide/
- https://ico.org.uk/for-organisations/advice-for-small-organisations/personal-data-breaches/72-hours-how-to-respond-to-a-personal-data-breach/
- https://docs.github.com/en/code-security/tutorials/remediate-leaked-secrets/remediating-a-leaked-secret
- https://docs.github.com/en/organizations/managing-programmatic-access-to-your-organization/reviewing-and-revoking-personal-access-tokens-in-your-organization