PanicStation.org
UK USA
us Technology & digital loss cloud account mass deletions • cloud files deleted not by me • someone deleted my cloud files • cloud storage hacked • account takeover cloud storage • unexpected file deletions • cloud sync deleted everything • shared folder emptied • missing files in cloud drive • cloud activity log suspicious • restore deleted cloud files • cloud recycle bin recovery • cloud version history restore • unknown device signed in • suspicious login cloud account • connected apps unauthorized • ransomware deleting cloud files • cloud files disappeared overnight • file a cybercrime report ic3 • enable multi factor authentication

What to do if…
your cloud account shows massive deletions you did not perform

Short answer

Stop syncing and lock down the account first (password change + MFA + sign out other sessions), then recover quickly using the cloud provider’s “trash/recycle bin” and “restore/version history” tools.

Do not do these things

  • Don’t leave multiple devices syncing while you troubleshoot (it can propagate deletions).
  • Don’t empty “trash/recycle bin/recently deleted,” and don’t approve unexpected sign-in prompts.
  • Don’t follow “support” links that come via email/text you didn’t initiate; use in-app help or type the provider’s site yourself.
  • Don’t reuse an old password (or a minor variation) if compromise is possible.
  • Don’t pay extortion demands or “recovery fees.”
  • Don’t factory reset devices yet if you still need them to check logs, confirm what happened, or recover data.

What to do now

  1. Pause syncing immediately

    • Disconnect affected devices from the internet (airplane mode / Wi-Fi off / unplug ethernet).
    • In the cloud app, pause sync or sign out on each device you can access.
    • If this is a work/school account, notify your IT/admin now and ask them to block sign-ins temporarily while you secure it.

  2. Record what you’re seeing (before it changes)

    • Screenshot or export:
      • account sign-in history / security events
      • the file activity log showing deletions (timestamps, device names, user)
      • any new sharing links, new collaborators, or permission changes
    • Write down when you first noticed it and any recent suspicious emails or prompts.

  3. Secure the account from a trusted device

    • From a device you trust (or a freshly updated one):
      • Change your password to a strong, unique password.
      • Enable MFA (prefer passkeys/security keys or app-based methods when available).
      • Use the provider option to sign out of all other devices/sessions.
    • Review and remove anything unfamiliar:
      • logged-in devices
      • connected apps / third-party access
      • recovery email/phone changes you didn’t make

  4. Recover files using built-in recovery features

    • Check the provider’s:
      • Trash / Recycle Bin / Recently Deleted
      • Version history for edited/overwritten files
      • Restore to a previous time” (some services can roll back a whole drive/account within a retention window)
    • If you’re in an organization (Microsoft 365 / Google Workspace), ask an admin to use admin recovery tools (often different from personal accounts).

  5. Contact the cloud provider via official support

    • Use the provider’s official help/support site (type it yourself or use in-app help).
    • Tell them: “mass deletions not performed by me,” the time window, and that you suspect account takeover or an unauthorized app/session.
    • Ask what retention windows apply and whether they can restore from server-side retention.

  6. If there’s fraud/extortion or identity theft, report it

    • If you’ve lost money, paid someone, or this is part of a cyber-enabled scam, file a report with the FBI Internet Crime Complaint Center (IC3) (watch for lookalike scam sites).
    • If you suspect identity theft (new accounts, tax/benefits issues, credit problems, SIM swap, etc.), start at IdentityTheft.gov and follow the steps it generates for your situation.

What can wait

  • Rebuilding folder structures or re-sharing permissions (do this after recovery).
  • Device wipe/reinstall decisions (after you’ve stopped the account takeover and recovered what you can).
  • Switching providers or redesigning your backup strategy.
  • Broad notifications to everyone in your contacts/customer list (wait until you know what was accessed or sent).

Important reassurance

This situation is alarming, but many cloud services keep deleted files and older versions for a period. Moving quickly—but carefully—often preserves recovery options. The biggest preventable mistake is leaving syncing running while an attacker (or a bad token/app) is still active.

Scope note

This is first steps only to stabilize, regain control, and maximize the chance of restoring your data. If this is a workplace environment or involves sensitive data, you’ll likely need dedicated IT/security support after the immediate recovery phase.

Important note

This guide is general information, not legal or professional advice. Recovery windows, “restore” features, and admin tools vary by provider and account type—follow your provider’s official instructions and treat retention time limits as real.

Additional Resources
Support us