PanicStation.org
UK USA
uk Technology & digital loss cloud account files in trash • cloud storage files deleted • files moved to bin • google drive files trashed • onedrive recycle bin full • dropbox deleted files • icloud recently deleted files • cloud sync deleted my files • shared folder files missing • unauthorized file deletion • account takeover cloud storage • hacked cloud storage account • suspicious cloud account activity • restore files from trash • lots of files missing suddenly • someone accessed my cloud account • cloud account compromised • accidental bulk delete in cloud • files disappeared from cloud drive • cloud backup deleted

What to do if…
your cloud account shows many files moved to trash without you doing it

Short answer

Stop syncing and avoid permanent deletion, then secure the account (sign out other sessions, change password, enable 2-step verification) before you restore anything. Treat this as time-sensitive: some services automatically purge items from trash after a retention period.

Do not do these things

  • Don’t empty the trash / recycle bin (or click “delete forever”) while you’re still unsure what happened.
  • Don’t keep multiple devices “trying to fix it” at once (it can re-delete/re-trash items via sync).
  • Don’t trust unexpected “support” emails, pop-ups, or phone numbers offered in messages about the incident.
  • Don’t install “recovery” tools from random sites or grant remote access to someone claiming to help.
  • Don’t assume it’s only your cloud account—your email account may be the real doorway.

What to do now

  1. Freeze the damage (stop sync, don’t delete anything).

    • On each computer/phone with the cloud app: pause syncing or quit the app for now.
    • If this is a shared folder/workspace, stop making changes there until you’ve checked whether another user/admin acted.

  2. Use the cloud service website (not just the app) to confirm what moved and when.

    • Open Trash/Deleted items/Recycle bin and sort by time if possible.
    • Note the earliest time you see the mass move.
    • If there’s an activity/audit log that shows a device/user/app, capture it (screenshots or a written note).

  3. Secure the account before restoring.
    In your account security settings:

    • Use the option to sign out of other devices/sessions (if available), and remove anything you don’t recognise.
    • Change your password (new and unique).
    • Turn on 2-step verification (2SV) (an authenticator app is generally preferred where available; SMS can be better than nothing).
    • Review connected third-party apps and revoke anything unnecessary or unfamiliar.

  4. Secure your email account immediately.
    If someone can access your email, they can often reset cloud passwords.

    • Change your email password, enable 2SV, and review recent sign-ins/devices there too.

  5. Make a quick incident record (to avoid confusion later).
    Write down or screenshot:

    • date/time you noticed it
    • approx. number of files/folders affected
    • any unknown sign-ins/devices
    • any account setting changes (recovery email/phone, new connected apps)

  6. Restore in the safest direction (small test first).

    • Restore a small batch and watch for it being trashed again (a sign something automated is still active: sync on a device, a third-party app, or another shared user).
    • If it stays put, restore in batches.
    • If it keeps re-trashing, stop and re-check Step 1–4.

  7. Use the provider’s official support route.
    Go to the provider’s website/app and navigate to Help/Support from there (not from links in messages). Ask about:

    • bulk restore options
    • what their logs show (device/app/user)
    • whether they can help stop repeated deletions/restore at scale

  8. If you suspect criminal access or fraud, consider reporting.

    • If money was lost or you suspect account takeover as part of fraud, you can report via Report Fraud (Action Fraud).
    • If this involves work/customer personal data, follow your organisation’s incident process immediately; it may be a personal data breach that needs logging and assessment.

What can wait

  • You do not need to decide today whether to wipe devices, reinstall apps, or abandon the account.
  • You do not need to restore everything immediately—securing the account first prevents repeated loss.
  • You do not need to identify the exact cause right now; focus on stopping changes and regaining control.

Important reassurance

A sudden mass move to trash is a common “alarm signal” in cloud systems and it often has a reversible path—especially if you avoid permanent deletion and pause syncing. A calm “freeze, secure, then restore” order prevents the most irreversible mistakes.

Scope note

This is first-steps guidance for stabilising the situation and preventing further loss. If you later find signs of wider compromise (email takeover, banking alerts, workplace breach), you may need specialist support and formal reporting.

Important note

This guide is general information, not legal, IT, or forensic advice. If you think personal data, workplace systems, or financial accounts are involved, follow your organisation’s security process (if applicable) and use official reporting/support channels.

Additional Resources
Support us