Recovering After An Account Takeover
Account takeover is the most common cyber incident KNOMI Cyber handles in Australia. The recovery is more than a password reset — done badly, the attacker is back in within hours. Done well, you close the door, rebuild trust, and stop it happening again.
The first hour
Assume the email behind the account is the real target. Lock it down first. Change passwords, rotate 2FA, and sign out all sessions on every linked service. Capture screenshots of any unauthorised activity — posts, messages, transactions — before they disappear.
The first day
Audit connected apps, payment methods and recovery options on every important account. Look for forwarding rules, filters, and new admin users — attackers leave these behind as backdoors. Tell the people who might have been contacted in your name that your account was compromised.
Backdoors to look for
- Email forwarding and filter rules
- Unknown third-party app permissions
- New recovery email or phone
- Unfamiliar trusted devices
- New admins on shared accounts or Pages
The first week
Once the account is yours again, KNOMI Cyber helps Australians build the post-incident plan: where the data went, who needs to be notified, what to report (ReportCyber, Scamwatch, OAIC), and how to harden the rest of your digital life so the next attempt fails.
Frequently asked questions
How do I know if the attacker is fully out?
Only after a full audit of sessions, devices, apps, forwarding rules and recovery options. KNOMI Cyber runs this end-to-end.
Should I tell my contacts?
Yes — most scam messages from a hacked account land because the recipient trusts the sender. Warn them on another channel.
Will my account be safe afterwards?
If the underlying credentials are rotated and 2FA is moved to an authenticator app, the risk drops dramatically.