PanicStation.org
UK USA
uk Technology & digital loss email account recovery changed • recovery email changed • recovery phone number changed • email account hacked • someone changed my recovery details • locked out of email • suspicious sign in alert • password reset i did not request • email forwarding turned on • mailbox rules changed • account security settings changed • two step verification bypassed • attacker still has access • i think my gmail was hacked • microsoft outlook account hacked • compromised email account • business email compromise worry • phishing link clicked • sim swap concern • recovery codes missing • devices signed in i don’t recognise

What to do if…
your email account recovery email or phone number is changed without your consent

Short answer

Treat this as an active account takeover: use the provider’s official account-recovery route immediately, then lock the account down (password + sign out everywhere + 2-step verification) from a safer device.

Do not do these things

  • Don’t use links in “security alert” emails or texts to sign in — type the provider’s address in your browser/app yourself.
  • Don’t keep entering passwords/old codes repeatedly if you’re failing — you can trigger lockouts and make recovery harder.
  • Don’t “test” random recovery emails/phone numbers you don’t recognise — focus on regaining control via official recovery.
  • Don’t pay anyone offering to “recover” your account via DMs, WhatsApp, Telegram, or “support” phone numbers found in ads.
  • Don’t assume it’s contained once you change a password — attackers often add forwarding/rules or stay signed in on other devices.

What to do now

  1. Pause and switch to a safer setup (2 minutes). Use a device you trust (or one freshly restarted/updated) and a network you trust. If you suspect your phone is the weak point, do recovery from a computer instead.
  2. Start recovery via the provider’s official help pages (now). Use the provider’s “recover a hacked account / can’t sign in” flow. If you can still sign in, go straight to the Security settings and check what changed.
  3. If you can get in: lock the account down in this order.
    1. Change your password to a strong, unique one.
    2. Sign out of all other sessions/devices (look for “sign out of all devices” / “log out everywhere”).
    3. Remove the attacker’s recovery email/phone and add back only ones you control.
    4. Turn on 2-step verification (or passkeys, if offered) and generate backup/recovery codes. Store them offline.
  4. Check for “persistence” inside your mailbox (very important).
    • Look for forwarding addresses you didn’t set.
    • Check filters/rules that auto-delete or auto-forward mail.
    • Check delegated access / shared mailbox settings (if your provider has them).
    • Review recent security activity / sign-in history and remove unknown devices/apps.
  5. Protect the “blast radius” (15–30 minutes).
    • Prioritise accounts that use this email for resets: banking, payments, government services, shopping, mobile provider, cloud storage, social media.
    • For each, change the password and check the recovery email/phone matches you (not the attacker).
  6. If recovery codes are arriving by SMS and you don’t trust your phone number: contact your mobile network using the number on your bill/official website and ask them to check for SIM-swap/unauthorised changes. Ask what extra security they can add to your mobile account (options vary by network).
  7. Report and document if it’s more than “just email.”
    • If you lost money or were tricked into sharing information, report cyber crime/fraud via Report Fraud (for England, Wales, and Northern Ireland).
    • If you live in Scotland (or the incident is Scotland-linked), report via Police Scotland (101 for non-emergency; online reporting for non-urgent matters).
  8. If you received suspicious emails that may have led to this: forward them to report@phishing.gov.uk (if you can’t forward, send a screenshot).

What can wait

  • You do not need to figure out how they got in before you secure access.
  • You do not need to message the attacker, negotiate, or “warn them” — it can escalate.
  • You do not need to clean up every old service right now — focus first on email + financial/password-reset accounts.
  • You do not need to delete your email account today (unless your provider confirms it can’t be secured).

Important reassurance

This happens to careful people, especially when recovery details are changed quickly and silently. If you act in the right order (official recovery → sign out everywhere → restore recovery details → check forwarding/rules), you can often stop further damage even if you feel behind.

Scope note

This is first-step guidance to regain control and prevent further harm. If you’re locked out and the provider’s recovery fails, you may need the provider’s formal support route and a structured “new email + migrate critical accounts” plan.

Important note

This is general information, not legal or technical advice. If you believe a crime is ongoing or you’re at immediate risk, contact local authorities. Use only official provider and government reporting channels.

Additional Resources
Support us