PanicStation.org
UK USA
us Technology & digital loss cloud storage deleting files • files disappearing from drive • unexpected deletion notice • google drive deletion warning • icloud storage deleting photos • onedrive files deleted • dropbox mass delete alert • account takeover suspected • hacked cloud account • someone accessed my cloud storage • shared folder deleted files • sync app deleted files • ransomware changed or deleted files • restore deleted cloud files • cloud recycle bin recovery • version history recovery • suspicious sign-in alert • unauthorised device logged in • email account used to reset passwords • recovery codes lost

What to do if…
you receive a notice that your cloud storage is deleting files and you did not start it

Short answer

Prevent the deletions from syncing everywhere: sign in on the provider’s real website/app, pause syncing on all devices, then lock down the account (new password + MFA) and begin restoring from “Trash/Deleted items” and version history.

Do not do these things

  • Don’t keep your laptop/phone syncing “while you check” — it can rapidly spread deletions across every device and shared folder.
  • Don’t click “stop deletion” or “verify your account” links from the notice until you confirm it’s legitimate by going to the provider directly (phishing is common).
  • Don’t reset your password to something you’ve used before (or a small variation).
  • Don’t ignore your email security — if your email is compromised, an attacker can keep resetting your cloud password.
  • Don’t factory-reset devices yet unless you’ve already stopped syncing and secured the account (otherwise you may lose clues and still have the account exposed).

What to do now

  1. Log in safely (without using the message link).

    • Open the cloud provider’s official app, or type the website address yourself.
    • If you’re on a public/shared device, use a private/incognito window and log out when finished.

  2. Pause or stop syncing on every device you can reach (priority #1).

    • On computers: pause syncing in the desktop sync client or sign out of it.
    • On phones/tablets: pause backup/sync for that cloud service, or temporarily disable the app’s file/photo access.
    • If you manage multiple devices, start with the one you last used or the one that got the alert.

  3. Check the account’s security/activity page to identify what changed.

    • Look for: unfamiliar sign-ins, unknown devices, bulk deletions, newly shared collaborators, or connected apps you don’t recognize.
    • If this is a work/school account, check whether an admin policy or retention change could be involved and notify your IT/help desk.

  4. Secure the cloud account right away.

    • Change your password to a brand-new, unique one.
    • Use “sign out of all devices” / “revoke sessions” if available.
    • Turn on multi-factor authentication (MFA) (authenticator app or security key is typically stronger than SMS when available).
    • Remove unfamiliar third-party app access and disconnect anything suspicious.

  5. Secure the email account linked to the cloud account.

    • Change the email password and turn on MFA there too.
    • Check for forwarding rules/filters you didn’t set (attackers may forward password-reset emails).
    • Review recovery phone/email entries and remove anything unfamiliar.

  6. Start restoring data inside the cloud service (don’t wait).

    • Restore from Trash/Recycle bin/Deleted items/Recently deleted first.
    • Use version history for files that were modified or overwritten.
    • If the provider offers “restore account to a point in time” (some services do), use it only after you’ve secured the account.

  7. Preserve quick evidence for support (and for any later report).

    • Screenshot: the deletion alert, recent activity log, device list, and password-reset emails (if any).
    • Write down: when you noticed, what device you were on, and which folders were affected.

  8. Contact the cloud provider’s official support/recovery path if you suspect compromise or can’t restore.

    • Use the provider’s “account compromised” / “recover account” help route.
    • Ask specifically about: bulk restore tools, retention/undelete windows, and whether they can help stop ongoing deletion.

  9. If money was lost, extortion was involved, or you believe a crime occurred, report it.

    • Report fraud/scams to the FTC using ReportFraud.
    • File a complaint with the FBI’s IC3 for cyber-enabled crime and fraud.
    • If you are being threatened or extorted right now, call 911.

What can wait

  • You don’t need to figure out the exact cause (phishing vs. malware vs. reused password) before you pause sync and secure the account.
  • You don’t need to decide today whether to wipe devices or switch services.
  • You can postpone password-manager setup and long-term backup strategy until after recovery and stabilization.

Important reassurance

A sudden deletion wave is frightening, but many cloud services have recovery features (deleted-items bins, restore windows, version history). Acting quickly—especially pausing sync and securing access—usually improves the chance of getting files back.

Scope note

This is first-step guidance to stop ongoing loss, regain control of the account, and begin recovery. If this involves a work/school managed account, your organization’s IT/security team may need to handle audit logs, retention rules, and incident response.

Important note

This is general information, not legal or professional advice. If you suspect malware or a broader compromise and you’re not sure what to do, consider getting help from a trusted IT professional after you’ve stopped syncing and secured the account.

Additional Resources
Support us