Recovering hacked accounts

1. Contact your account provider
   • To to the account provider’s website and search their help/support pages which will explain the account recovery process in detail. It’s likely to be different for each account.
2. Check your email account
   • Check there are no unwanted forwarding rules in your email account. Cyber criminals may can set up rules which means they’ll automatically receive copies of all emails sent to your account (which would allow them to reset our passwords).
3. Change your passwords
   • change the password for any account that has been hacked, an use the same password. Cyber criminals know that people use the same password for different accounts, and so will try to same hacked password across multiple accounts.
4. Force all devices and apps to log out
   • This can usually be done from the settings menu of the app or website (or it may be part of the ‘privacy’ or ‘account’ options). Once you’ve done this, anyone attempting to use your account will be prompted to supply the new password.
5. Set up 2-step verification (2SV)
   • 2SV, (which is also known as t-factor authentication or 2FA) usually works by sending you a pin or code, often via SMS or email, which you’ll then have to enter to prove that it’s really you. So even if a criminal knows your password, they won’t be able to access your accounts.
6. Up-date your devices
   • Apply up-dates to your apps and your devices software as soon as they are available. Updates include protection from viruses. Applying those updates promptly is one of the most important (and quickest) things you can do to prevent your account from being hacked.
7. Notify your contacts
   • contact your account contacts, friends or follower; let them know that you were hacked, and suggest they treat any recent messages sent from your account with suspicion. This will help them to avoid being hacked themselves.
8. Check your bank statements and online shopping accounts
   • Keep a look-out for unauthorised purchases. Check your bank accounts for any unusual transactions. You can contact your bank directly for further support. Always use official websites or social media channels, or type the address directly into your browser. Don’t use the links in any messages you have been sent.
9. Contact ActionFraud
   • If you lost money tell your bank and report it as a crime to ActionFraud, the UK’s reporting centre for Cyber Crime. In Scotland contact the police by dialling 101. You’ll be helping the NCSC and police to reduce criminal activity.

Whether it’s your Facebook, Amazon, or Netflix account, the explosion in popularity of online apps and services means more and more of us have to remember an increasingly long list of passwords. Unfortunately, some of us cope with this challenge by resorting to practices that leave our data, devices and money at risk – by using the same password across multiple accounts, or by creating simple passwords that could easily be guessed by hackers. Bad password practice is more prevalent than you might think – the UK’s National Cyber Security Centre carried out analysis of passwords leaked in data breaches and found that more than 23 million users worldwide used 123456 as a password. You can read more about it here: https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security Here are some top tips that will make your life easier and your online accounts more secure: 1: Creating memorable passwords A good way to create strong, memorable passwords is by using 3 random words. But remember, don’t use words that can be guessed (like your pet’s name). You can include numbers and symbols if you need to. For example, “RedPantsTree4!” 2: Saving passwords in your browser Saving your password in your browser means letting your web browser (such as Chrome, Safari or Edge) remember your password for you. This can help: make sure you do not lose or forget your passwords protect you against some cyber crime, such as fake websites It is safer than using weak passwords, or using the same password in more than one place. Here are some useful links on how you can start saving passwords in your browser: Google Chrome, Microsoft Edge, Firefox, Safari. 3: Email account passwords If a hacker gets into your email account, they could: reset your other online account passwords access personal information you have saved about yourself or your business Your email password should be strong and different to all your other passwords. This will make it harder to crack or guess. Need help changing your email account password? You can use these links to find step by step instructions: Gmail, Yahoo! Mail, Outlook, BT, AOL Mail. For more of the government’s latest advice on how to stay secure online, visit the Cyber Aware website: https://www.ncsc.gov.uk/cyberaware Thanks for reading! If you found this information useful, please help us spread the word by forwarding this email to your friends.

Password re-set scam

Alert Trading Standards 30 April 2026

Why did I receive a password reset email I didn’t request?

Unexpected password reset emails don’t always mean your account has been hacked, but it’s important to know how to respons.

If you’ve received a password reset email you didn’t request, it could be a sign that someone else is trying to access your account without your permission.

In many cases, these emails are triggered when someone enters your address on a login page – either by mistake or as part of an automated attack using leaked passwords from other websites. This can happen with a wide range of accounts, including email services, social media, online shopping sites and online banking.

Below we explain how to tell if the email is genuine, and what steps you should take next if you’re sure you didn’t request yourself.

What to do if you didn’t request a password reset

1. Don’t click any links in the email
   • If the message is a scam, the link could take you to a fake website designed to steal your login details. Instead, open a new browser window and enter the company’s web address yourself to access your account safely.
2. Check the sender’s address
   • Look for anything unusual, such as misspellings, extra characters or a domain that doesn’t match the company’s official website. Be wary of addresses that look similar but use different endings (for example, .net instead of .com) . You can also search the address online to see if other users have reported issues.
3. Check your account for unusual activity
   • Log in to your account directly (not via any links in the password reset email) and look for anything you don’t recognise, such as login attempts from unfamiliar locations or devices. Most services have a Security or Recent activity section where you can review this.
   • The exact steps will vary depending on the service you’re using For example:
   • On Gmail – on desktop, scroll to the bottom of your inbox and click Details next to Last account activity. On mobile, open the Gmail app, tap your profile picture, then Manage your Google Account > Security and sign-in. Review in Recent security activity and Your devices headings.
   • On Outlook – on desktop, open your Outlook inbox, click the profile icon in the top-right corner and then My Microsoft account. From there, choose Security > See your sign-in activity.
   • On Facebook – on desktop, click your profile picture (top right), then go to Settings & privacy > Settings > Password and security, and check Where you’re logged in. On mobile, tap the menu (three lines), then go to Settings & privacy > Accounts Centre > Password and security > Where you are logged in.
   • If you spot an unknown device or suspicious login attempt, change your password immediately and log your account out of any devices you don’t recognise.
4. Secure your account
   • Even if you don’t see any suspicious activity, it’s worth taking a few steps to strengthen your account security.

We suggest starting by ensuring your password are strong and unique. Avoid reusing passwords across different sites, as this makes it easier for attackers to gain access if your details are exposed in a data breach.

Turn on two-factor authentication (2FA) if it’s available. Once enabled, it makes your accounts much harder to access without permission by requiring a second step when you sign in, such as entering a code sent to your phone or generated by an authenticator app. It’s also worth reviewing your account recovery settings, such as backup email addresses and phone numbers, to make sure they haven’t been changed without your knowledge.

If you account is protected with a strong password and 2FA, and you can’t see any unusual activity, it’s usually safe to ignore a one-off password reset email. However, repeated requests could indicate someone is trying to access your account, so it’s worth keeping an eye on things.