PanicStation.org
UK USA
uk Technology & digital loss cloud account mass deletions • cloud files deleted not by me • someone deleted my cloud files • cloud storage hacked • account takeover cloud storage • unexpected file deletions • cloud sync deleted everything • shared folder emptied • missing files in cloud drive • cloud activity log suspicious • restore deleted cloud files • cloud recycle bin recovery • cloud version history restore • unknown device signed in • suspicious login cloud account • connected apps unauthorized • email forwarding rule added • ransomware deleting cloud files • cloud files disappeared overnight • cloud provider support urgent

What to do if…
your cloud account shows massive deletions you did not perform

Short answer

Stop syncing and secure the account from a trusted device first, before you do anything that could permanently remove recoverable files. Then start recovery using the provider’s “trash/recycle bin” and “restore to a previous time/version” features.

Do not do these things

  • Don’t keep all your devices logged in and syncing while you investigate (it can spread deletions everywhere).
  • Don’t empty the cloud “trash/recycle bin” or “recently deleted” area.
  • Don’t reinstall/reset devices yet if you still need them to view account activity or recover files.
  • Don’t click links in emails/texts claiming to be “support”, and don’t use phone numbers provided in unexpected messages.
  • Don’t tap “approve” on unexpected sign-in/MFA prompts.
  • Don’t reuse the same password again (or “a slightly changed” version) if you suspect compromise.
  • Don’t pay any ransom or “recovery fee” to someone contacting you about the deletions.
  • Don’t assume it’s “just a sync glitch” until you’ve checked sign-in/activity logs and connected apps.

What to do now

  1. Stop the bleeding (pause sync / cut connectivity)

    • Disconnect affected devices from the internet (Wi-Fi off / unplug ethernet / airplane mode on phones).
    • In the cloud app, pause syncing or sign out on every device you can access.
    • If this is a work/school account, tell your IT/admin now and ask them to temporarily block sign-ins while you secure it.

  2. Capture what’s happening (so you don’t lose the trail)

    • Take screenshots (or export logs) of:
      • recent activity / sign-in history
      • deletion events (time, IP/location if shown, device name, user)
      • any new sharing links, new collaborators, or permission changes
    • Note the first time you noticed it and which device you were using.

  3. Secure the account from one trusted route

    • From a device you believe is clean (or a freshly updated one), go to the provider’s security settings and:
      • Change the password to a strong, unique one.
      • Turn on 2-step verification (2SV) if it isn’t already.
      • Sign out of other devices/sessions everywhere the provider offers this.
    • Check and remove anything you don’t recognise:
      • signed-in devices/sessions
      • connected apps / third-party access
      • recovery email/phone you didn’t add
    • Also check your email account settings directly (type the site address or use the official app): look for auto-forwarding or mailbox rules you didn’t create, because email access can be used to reset cloud passwords.

  4. Recover files using built-in recovery tools

    • Immediately check:
      • Trash / Recycle Bin / Recently Deleted
      • Version history (for overwritten files) and restore previous versions
      • Any “Restore your account/drive to an earlier time” feature (often helps if lots was deleted quickly)
    • If you’re in an organisation, ask your admin to use admin recovery options (these can differ from what end users can do).

  5. Contact the cloud provider’s support through official channels

    • Use the provider’s in-product help/support pages (not links sent by email/text).
    • Tell them clearly: mass deletions, not performed by you, time window, and that you suspect account takeover or an unauthorised app/session.
    • Ask what recovery windows apply and whether they can restore from server-side retention/backups.

  6. If money was lost or you were scammed, report it

    • If this involves fraud (payments, extortion, diverted transfers), report via Report Fraud (England, Wales, Northern Ireland — the national reporting service previously known as Action Fraud).
    • If you’re in Scotland, report to Police Scotland (non-emergency via 101).

What can wait

  • Deciding whether to change cloud providers or rebuild your whole backup strategy.
  • Deep device forensics, full OS reinstalls, or replacing hardware (do this after recovery attempts).
  • Notifying every contact/customer (do it once you know what was accessed/sent).
  • Long-term clean-up like reorganising folders or re-sharing permissions (after you’ve regained control).

Important reassurance

Sudden mass deletions are frightening, but many cloud services keep deleted items and versions for a period, so fast, careful actions can genuinely improve recovery. The most important thing is to stop syncing and secure access first so you don’t accidentally make recoverable loss permanent.

Scope note

This is first steps only to stabilise, secure the account, and maximise the chance of recovery. If this involves a workplace, regulated data, or suspected targeted compromise, you’ll likely need specialist IT/security help after the immediate recovery phase.

Important note

This guide is general information, not legal or professional advice. Cloud providers’ recovery windows and admin options vary, so follow your provider’s official support steps and treat retention time limits seriously.

Additional Resources
Support us