'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
you realise your recovery codes or backup codes cannot be found when you need them
Short answer
Pause, verify you’re using the real service (not a phishing page), then try to regain access using a trusted device that’s already signed in or the provider’s official recovery flow—without involving “helpers” or unofficial support.
Do not do these things
- Don’t click “sign-in” links from unexpected messages while you’re stressed—type the site address yourself or use the official app.
- Don’t pay anyone offering account “recovery services” or share one-time codes with anyone.
- Don’t keep retrying guesses until the provider rate-limits or locks the account for longer.
- Don’t disable multi-factor authentication in a panic (it can increase takeover risk).
- Don’t upload ID documents to random sites; only provide identity proof if you’re inside the provider’s official recovery process.
What to do now
-
Confirm you’re on the legitimate sign-in path.
Use the official app or manually enter the service’s address in your browser. If the page looks unusual or the request feels urgent/threatening, stop. -
Do one fast, structured search for the codes (limit to 5 minutes).
Check: password manager secure notes, an encrypted vault, printed sheet, notebook, downloads folder, screenshots, cloud drive secure folder, or the “setup email” you may have sent to yourself.
Then stop searching and move to recovery (endless searching increases panic and delays recovery). -
Use a trusted, already-signed-in device/session to regain control (best-case path).
If you’re still logged in anywhere (phone app, tablet, another browser profile, old laptop):- Go to Security / Sign-in settings.
- Generate a new set of backup codes or add a new sign-in method (passkey/security key/authenticator).
- Sign out of devices you don’t recognize.
-
Try alternate verification methods you may already have enabled.
Look for “Try another way” and choose options like authenticator app approval, security key, trusted device prompt, backup email, or phone verification (if you still control that number/email). -
If you can’t sign in, use the provider’s official account recovery process.
Use “Forgot password / Account recovery” on the official site. Provide only what you genuinely know (previous passwords, approximate account creation date, billing details for paid services).
If you hit rate limits or lockouts, stop and wait for the provider’s cooldown window rather than trying more guesses. -
Assume missing codes could coincide with compromise—do a quick compromise check if you regain access.
Immediately:- Change your password to a unique one.
- Review recent sign-in activity and revoke unknown sessions.
- Check recovery email/phone, forwarding rules, connected apps, and any “trusted devices” list.
-
If you think hacking or fraud is involved, use US reporting and recovery resources.
- If identity theft is possible (accounts opened, benefits/credit misuse), use the federal identity theft recovery resource for step-by-step actions.
- If you were scammed or there’s account takeover fraud involved, consider filing a complaint through the FBI’s Internet Crime Complaint Center (IC3).
Also contact your bank/service provider using official contact details if money or billing accounts are involved.
What can wait
- You don’t need to decide right now whether to change all your accounts or rebuild your whole security setup.
- You don’t need to pick the “perfect” 2FA method today—first regain access and stop any ongoing compromise.
- You don’t need to respond to every alert; prioritize the account that controls resets for others (often your email).
Important reassurance
This happens to a lot of people—backup codes are easy to misplace, and you usually only notice when you urgently need them. Slowing down, using trusted devices, and sticking to official recovery routes is the safest way to get back in.
Scope note
These are first steps to regain access safely and reduce immediate takeover risk. Longer-term security improvements can come later, once you’re back in control.
Important note
This is general information, not legal advice. If money, benefits, or identity misuse may be involved, prioritize contacting the affected provider/bank through official channels and using official US reporting and recovery resources.
Additional Resources
- https://support.google.com/accounts/answer/1187538
- https://support.microsoft.com/en-us/account-billing/how-to-get-a-microsoft-account-recovery-code-2acc2f88-e37b-4b44-99d4-b4419f610013
- https://consumer.ftc.gov/how-recover-your-hacked-email-or-social-media-account
- https://www.identitytheft.gov/
- https://www.ic3.gov/CrimeInfo/AccountTakeover
- https://www.ic3.gov/
- https://www.ftc.gov/news-events/topics/identity-theft/report-identity-theft