An account-recovery plan is a small document you prepare while you can still sign in. It records the official recovery route, the backup factors you control, and the first checks to make after access returns.
Start with the accounts that can reset everything else: your primary email, phone account, password manager, domain registrar and financial services. For each one, record the provider's official help page, the recovery email or number you recognize, and whether backup codes or a hardware key exist. Do not store passwords or one-time codes in the checklist.
If you think someone got in
Use the provider's official recovery page or app rather than a link in an alarming message. The FTC's recovery guidance recommends changing the password, signing out of other devices, turning on two-factor authentication, and checking recovery information after you regain control.
Review recent sessions, forwarding rules, connected apps and messages sent from the account. Tell contacts if an attacker may have used the account. Preserve relevant records before deleting browser data or wiping a device if the incident may need to be reported.
Recovery is not the same as proof that the account is clean. A changed password can stop one route while a changed recovery address, active session or connected app preserves another. Work through the provider's security checklist, then update the recovery plan with anything you learned.
Keep the plan offline or in a protected location, and review it when you change phone numbers, email addresses, devices or authentication methods. The useful time to discover that a recovery address is obsolete is before the lockout.
Sources & methodology2 sources - evidence for this revision
The records below show what each source supports in this published revision.
- Recover a hacked email or social accountFederal Trade Commissionprimary - Retrieved Jul 10, 2026
What it supportsAfter account compromise, change the password, sign out devices, enable 2FA and check recovery information. - Recovery information should be checked after regaining access.
- Cyber incident response best practicesU.S. Department of Justiceprimary - Retrieved Jul 10, 2026
What it supportsRelevant records may be worth preserving before destructive cleanup in an incident.



