In plain words
If this just happened, start at the top and do each step in order. You do not need to solve everything at once.
Stay calm first
If you typed login details into a phishing page, speed matters. Here is a practical recovery order.
What the risk depends on
Risk is highest when the password is reused across services or when the attacker also captured MFA prompts.
First 5 minutes priority order
- Contain the risk: stop interaction, close suspicious pages, disconnect if needed.
- Secure exposed accounts: reset login details from trusted links and sign out unknown sessions.
- Protect payments: lock cards or contact provider if payment data may be exposed.
- Document and notify: save evidence and contact relevant support channels.
Immediate steps
- Change the affected account password immediately from the official app/site.
- Sign out all active sessions and revoke unknown devices.
- Rotate reused passwords on any other accounts.
- Check recovery email/phone settings for unauthorized changes.
Priority order
- Primary account first (email, identity providers, banking).
- Then dependent accounts that rely on that email.
- Then social and commerce accounts.
- Finally, less critical services.
Who to contact
If this affected a work account, notify your security or IT team immediately. For financial accounts, call support using known phone numbers.
What to monitor
- New forwarding rules in email
- Unexpected MFA prompts
- Password reset notifications
- Changes to billing or shipping addresses
Prevention for next time
Use a password manager, unique login details per site, and phishing-resistant MFA where available.
Important: Fast containment beats perfect certainty. Start with reversible safety steps now.