A friend of mine just had their Facebook account broken into the other day, and the attackers employed an ingenious trick to lock her out forevermore: enabling two-factor authentication and tying it to a random phone number. As a result, she can’t get in no matter how many password resets she submits, and Facebook’s official channels—not always the best for customer service—have left her high and dry.
Account break-ins suck, whether they’re random attacks from someone who guessed or got ahold of your password, or people you know who are being cyber-assholes. The latter is the case that Lifehacker reader Michelle is running into, and here’s her (incredibly brief) story she sent to Tech 911:
My ex has hacked all my accounts and keeps backing up passwords so when I try to set knew ones up he has the info already please help
How to get your account back after you’ve been hacked
I’m sorry you’re dealing with this, Michelle. I’m not quite sure I understand the bit about backing up passwords, but I’m assuming that your ex has set up some kind of backdoor into your accounts. So, even if you were to change the password, he still has some way to get back into your account and reset it to something else. There are plenty of ways to do this, unfortunately—even something as innocent as making a copy of the backup keys you use for two-factor authentication (2FA).
Whether I’ve got that right or not, let’s go over everything you’ll want to do to regain access to your accounts—and in what order you’ll want to do them in. First and foremost, you’ll want to make sure you’ve locked down whatever you use to save your passwords. If that’s your web browser, for example, and you’ve signed into said browser with an account (like your Google account), you’ll want to access that account and change the password. Make it something unique, a password that can’t be guessed with random words, phrases, or anything else related to you
But that’s just the bare minimum. While you’re doing this, go through your account’s settings and make sure that everything is correct. Is your email address accurate? Your phone number? Is there any other identifying information that isn’t, well, yours? If so, change it back to yours. And if the company behind said account question offers a way to see anywhere else you’re logged in with your account—and revoke permission for those devices—do that, too.
Next, check to see if you can sign up for two-factor authentication for your account. If it’s already enabled, great! Disable it, re-enable it, and copy/paste any new backup codes you’re provided to a safe location. If you’ve never used 2FA, enable it immediately once you’ve confirmed that only your email address and/or phone number are associated with your account—no others.
This final step is critical, and it should help you address any and all login issues. That’s because you’ll now use a device like your smartphone—either via a text message or authenticator app—as a second form of verification for any login attempts. Someone might know your password, but they won’t be able to do anything with it unless they have that special, changing code that (theoretically) only you can access. And if you get one of these login notification requests, but it wasn’t you that tried to log into an account, you’ll know to change your compromised password (again).
Now that you know the basics, you’ll next want to tackle other pressing accounts: your email, your cellular carrier, and so on. Basically, you’re going to want to go from most-important to least-important and make the same checks and changes: Is any other information associated with your account that shouldn’t be (like a different email address)? Have you changed the password to something you don’t use anywhere else, have never used before, and is impossible for a normal person to guess? Can you set up 2FA?
The more accounts you lock down, the fewer issues I suspect you’ll have with anybody breaking in. And since you’re going to have to go through this annoying process with any account you want to secure up, now’s a great time to start using a password manager (if you aren’t already). Make sure you assign it a solid, unique password—and lock it down with 2FA—and you can then use the app to help you create unique, complicated passwords for all of the accounts you’ll be working on.
Based on your letter, I’m not entirely convinced you won’t have to reset all of your devices, too, to ensure nobody has installed spyware on them. It wouldn’t be the worst idea—reset your PC or Mac and set it up from scratch, or consider taking note of all the apps on your phone, backing up its data (such as your photos) to the cloud, and wiping it. You’ll have to spend some time setting it up again, but you’ll feel better knowing that only you have ever had physical access to this device. And, as a result, it’s probably as secure as it’ll ever be.
Similarly, make sure you’ve gone through any accounts that offer family sharing—such as Google, Microsoft, or Apple accounts—and disable it, in case that’s the trick your ex was using to keep a foot in the digital door.
Basically, you’re going to need to take some time to go through your major accounts, inspect their settings, lock them down, and sanitize your digital life. It’s an annoying process, and I’m sorry, again, that you have to deal with it, but you’ll come out of this with a much more secure setup in place.
David Murphy is Lifehacker's Senior Technology Editor. He has geeked out writing for The New York Times, Wirecutter, PC Magazine, Reviewed, Computer Shopper, and PCWorld. www.thedavidmurphy.com