'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
your cloud storage suddenly shows a large upload you cannot explain
Short answer
Stop syncing and secure the account: sign out other sessions, change your password, and turn on two-factor authentication so unauthorized access can’t keep uploading.
Do not do these things
- Don’t mass-delete files or “clean up” the cloud account before you’ve secured it and captured what you’re seeing.
- Don’t leave sync running while you investigate (it can keep uploading or spread harmful changes).
- Don’t use “security alert” links from emails/texts—go directly to the provider’s official site/app.
- Don’t reuse an old password or one used on other sites.
- Don’t immediately factory-reset devices if you suspect malware—stabilize first and note key details.
What to do now
-
Freeze the situation (prevent more uploading).
Pause syncing or quit the cloud app on every device that uses it. If you can’t pause, disconnect that device from the internet while you secure the account. -
Sign in the safe way.
Use the cloud provider’s official app or type the address yourself. Avoid links from messages. -
Kick out other sessions.
In account security settings, use “sign out of all devices/sessions” (or equivalent). This helps stop unauthorized access fast. -
Change the password and enable 2FA.
Set a strong, unique password. Turn on two-factor authentication (2FA) for the cloud account and (if possible) for the email account used for password resets. -
Check and correct recovery/security controls (so they can’t get back in).
In security/account settings, review and fix:- recovery email/phone number (remove anything you don’t recognize)
- backup codes (generate/save new ones if offered)
- trusted devices / remembered browsers (remove unknown ones)
- security alerts/notifications (turn them on if available)
-
Check the most common non-attack causes (fast).
In the cloud service:- Review recent activity / sign-in history / device list for unknown devices, locations, or times.
- Review connected apps (third-party access) and revoke anything unfamiliar.
- Review sharing settings (shared folders, shared links, collaborators) and remove anything you didn’t set.
- Consider whether a backup feature (photos, desktop backup, scanner app) was enabled and is uploading a backlog.
-
Capture a minimal record (30–60 seconds).
Screenshot the activity showing upload size/time, unknown devices, and security/recovery changes. Write down the date/time. -
Check devices that sync to the cloud.
Run an up-to-date malware scan on computers that sync to the cloud, update the operating system and the cloud app, and reboot. If this is a work-managed account/device, stop and follow your organization’s IT/security incident process. -
If you suspect significant fraud/loss, use official reporting routes (optional).
- If there’s substantial financial loss, extortion, or a clear cyber-enabled crime pattern, you can file a report with the FBI’s IC3.
- If personal information (like SSN or financial account access) may be misused, use IdentityTheft.gov for guided recovery steps.
What can wait
- You do not need to decide right now whether to permanently delete files, rebuild your cloud structure, or notify everyone you know.
- You do not need to wipe devices immediately unless you have clear evidence of infection and you’ve first secured accounts and saved key details.
- You do not need to purchase security tools in the moment—stabilizing access and stopping sync comes first.
Important reassurance
A sudden large upload can be caused by legitimate syncing/backup settings, a second device you forgot was connected, or an app you previously authorized. Securing the account and pausing sync is the right first step either way.
Scope note
These are first steps to stabilize and reduce harm. If you confirm unauthorized access, later steps may include deeper device cleanup, reviewing what was exposed, and provider-led recovery.
Important note
This is general information, not legal, medical, or professional cybersecurity advice. If workplace systems or sensitive data are involved, use official provider support and your organization’s incident reporting process.
Additional Resources
- https://consumer.ftc.gov/how-recover-your-hacked-email-or-social-media-account
- https://consumer.ftc.gov/articles/use-two-factor-authentication-protect-your-accounts
- https://consumer.ftc.gov/consumer-alerts/2024/10/email-or-social-media-hacked-heres-what-do
- https://www.ic3.gov/
- https://www.identitytheft.gov/Info-Lost-or-Stolen