PanicStation.org
UK USA
us Technology & digital loss trusted device removed alert • backup email removed • recovery email removed • security alert device removed • account takeover warning • someone changed my security settings • suspicious account alert • hacked email account • locked out of my account • unexpected sign-in notification • recovery options changed • multi-factor authentication changed • attacker still logged in • phishing security alert • my phone number removed • compromised account settings • sign out of all devices • remove unknown devices • email forwarding turned on • mailbox rules changed

What to do if…
you receive an alert that a trusted device or backup email was removed from your account

Short answer

Assume a takeover until proven otherwise: go directly to the real service (not the alert link), then change your password, sign out of other sessions, and restore your recovery options and MFA.

Do not do these things

  • Don’t click the alert link if there’s any chance it’s phishing — open the service from a trusted path instead.
  • Don’t keep logging in/out repeatedly if you’re being challenged or locked — switch to the official recovery flow.
  • Don’t send codes or screenshots of codes to anyone (including someone claiming to be “support”).
  • Don’t ignore this because “nothing looks missing” — attackers often change recovery methods first.
  • Don’t pay “account recovery” services or respond to cold calls offering to fix it.

What to do now

  1. Verify the alert safely (no links).
    Open the official app or type the provider’s address yourself. Go to Security / Devices / Recent activity / Recovery info and confirm whether a trusted device or backup email was removed.

  2. If you can sign in: kick out any attacker session immediately.

    • Change your password to a new, unique one.
    • Use Sign out everywhere / Log out of all sessions (wording varies).
    • Review Devices and remove anything you don’t recognize.

  3. Restore and harden account recovery.

    • Re-add your backup email and correct phone/recovery methods.
    • Turn on (or re-enable) MFA/2FA. Prefer an authenticator app or security key if available.

  4. Check for hidden settings that keep the attacker in control.
    Look for and remove anything you didn’t set up:

    • Forwarding / redirect addresses
    • Rules/filters that auto-forward, auto-delete, or hide messages
    • Connected apps / OAuth access you don’t recognize

  5. Secure the “roots”: your email account and mobile number.

    • If this happened on your primary email, treat it as urgent because it can reset many other accounts.
    • If you suspect your phone number was targeted (SIM swap / call or SMS forwarding), contact your carrier’s support using the number on your bill/official site and ask them to review recent changes and protections on your line.

  6. If you can’t sign in: start official account recovery right away.
    Use the provider’s recovery pages from the official site/app. If you have any device still signed in, use built-in options like “Secure your account” or “This wasn’t me.”

  7. Save evidence while you still can.
    Screenshot the alert and the provider’s “recent security events” page (dates, devices, IP/location if shown). Save copies somewhere not controlled by the compromised account.

  8. If there’s fraud or identity risk, report it through official portals (typed in, not searched).

    • For scams, fraud, or bad business practices: use ReportFraud.ftc.gov.
    • If your personal info is being used (accounts opened, tax/benefits misuse, debt collection, etc.): use IdentityTheft.gov.
    • For cybercrime complaints (including some account takeover-related losses): file with IC3.gov.
      If someone contacts you claiming to be “FTC/IC3/FBI support” and asks for money or codes, treat it as a scam.

What can wait

  • You don’t need to identify the exact method of compromise right now.
  • You don’t need to notify everyone immediately — first stop forwarding/rules and end sessions.
  • You don’t need to delete your account or wipe devices in a panic.
  • You can do deeper clean-up (device checks, password manager audits, broader resets) after you’ve regained control.

Important reassurance

Getting an alert about a removed device or recovery email is scary because it feels like the ground moved under you — but it’s also a clear early warning. Fast, focused actions (official login → end sessions → restore recovery → check forwarding/rules) usually stop the damage quickly.

Scope note

These are first steps to stabilize and reduce immediate harm. If this account is tied to work systems, banking, or many linked services, you may need additional provider support and a wider security review after you’re back in control.

Important note

This guide is general information, not legal or professional advice. Provider recovery screens vary; follow the official process within the service and avoid third-party “recovery” offers.

Additional Resources
Support us