PanicStation.org
UK USA
uk Technology & digital loss unexplained cloud upload • sudden large upload • cloud storage hacked • cloud account compromise • unexpected sync activity • unknown device signed in • suspicious account activity • possible ransomware sync • files uploaded without you • shared folder changed • connected app access • revoke third party access • sign out of all sessions • change cloud password now • enable two step verification • storage usage spike • unexpected data transfer • cloud audit log check • backup app gone wrong • malware on computer upload • stolen credentials cloud

What to do if…
your cloud storage suddenly shows a large upload you cannot explain

Short answer

Pause syncing and secure the account first: sign out other sessions, change your password, and enable 2-step verification so any unauthorised access can’t continue.

Do not do these things

  • Don’t start deleting lots of files “to fix it” until you’ve secured the account and captured what you’re seeing (you may erase clues you need).
  • Don’t keep your cloud app syncing while you investigate (it can keep uploading or propagating bad changes).
  • Don’t click “security alert” links from emails/texts about this—go directly to the cloud provider’s official site/app.
  • Don’t reuse an old password or a password you’ve used elsewhere.
  • Don’t wipe/reset devices immediately if you suspect malware—stabilise first and note what happened.

What to do now

  1. Freeze the situation (stop further uploads).
    Pause syncing or quit the cloud app on every device that uses that cloud service. If you can’t find a pause option, disconnect that device from the internet (Wi-Fi off / unplug ethernet) while you secure the account.

  2. Sign in the safe way (avoid phishing).
    Open the provider’s official app you already have installed, or type the known address yourself. Avoid following links from messages.

  3. Force everyone else out.
    In the account security settings, use “sign out of all devices/sessions” (or equivalent). This helps break an attacker’s access immediately.

  4. Change the password and lock it down.
    Set a strong, unique password. Then turn on 2-step verification (2SV) for the cloud account and (if possible) for the email account that controls password resets.

  5. Check and correct account recovery controls (so they can’t get back in).
    In security/account settings, check:

    • recovery email/phone number (remove anything you don’t recognise)
    • backup codes (generate/save new ones if offered)
    • security questions (if used) and notification/alert settings
    • trusted devices / “remembered browsers” (remove unknown ones)

  6. Check for the simplest non-attack explanations (quickly).
    In the cloud service:

    • Review recent activity / device list / sign-in history for unfamiliar devices, locations, or times.
    • Review connected apps (third-party access): revoke anything you don’t recognise.
    • Review shared folders / shared links: remove unknown collaborators, disable public links you didn’t create.
    • Check whether a backup feature (photos, desktop backup, scan-to-cloud) was enabled and is uploading a backlog.

  7. Capture a minimal record (30–60 seconds).
    Take screenshots of the activity page showing the upload size/time, unknown devices, and any changed security/recovery settings. Note the date/time.

  8. Check the device most likely to be uploading.
    On computers that sync to the cloud: run an up-to-date malware scan, update the operating system and the cloud app, and reboot. If it’s a work-managed device/account, stop and follow your organisation’s IT/security incident process.

  9. If you suspect fraud, data theft, or you’ve lost money, use the right reporting route.

    • If the crime is happening now, or you’re in immediate danger, call 999.
    • England, Wales, or Northern Ireland: report cyber crime/fraud via Report Fraud (Action Fraud).
    • Scotland (or the incident happened there): report to Police Scotland (typically via 101 for non-emergency, or online reporting).
    • If there’s financial loss risk, contact your bank/card provider promptly to flag suspected fraud and protect accounts.

What can wait

  • You do not need to decide today whether to permanently delete anything or reorganise the account.
  • You do not need to reinstall/wipe devices immediately unless you have clear signs of infection and you’ve first secured accounts and noted key details.
  • You do not need to contact everyone right now unless you confirm your account shared files/links or sent messages to others.

Important reassurance

Unexplained uploads are scary, but they’re often caused by legitimate backup/sync settings, a second device you forgot about, or an app connection you didn’t realise had access. Securing the account and pausing sync is the right first move either way.

Scope note

These are first steps to stabilise and prevent more damage. If you confirm unauthorised access, later steps may include deeper device checks, reviewing what data was exposed, and provider-led recovery.

Important note

This is general information, not legal, financial, or professional security advice. If work systems or sensitive personal data are involved, use official provider support channels and your organisation’s incident process.

Additional Resources
Support us