Most security guidance focuses on protecting accounts from being accessed by others. Less attention is placed upon what happens when you lose access yourself or when an attacker uses your own account recovery process against you.
Account lockout is a more common experience than many people expect, and the recovery process, when not set up carefully, can be as much of a vulnerability as a weak password.
Keep recovery information current
Account recovery typically depends on a recovery email address, a phone number, or both. If either of these are outdated — an old email account you no longer access, a phone number that’s since changed, you may find yourself locked out of an account with no straightforward route back in. Review recovery contacts periodically, particularly after changing email addresses or phone numbers.
Security questions are weak
Many services still use security questions as a fallback: the name of your first pet, your mother’s maiden name, the street you grew up on. The problem is that this information is often findable, through public records, social media, or simply a conversation with someone who knows you. Treat security question answers as passwords rather than as genuine answers. Use a random or unrelated string, and store it in your password manager alongside the account credentials.
Understand how to recover access before you need it
The time to understand an account recovery process is not when you’re locked out of it. For accounts that matter: email, financial, work-related, anything with sensitive information, take a few minutes to review what recovery options exist and confirm they’re configured correctly. Download or record backup codes where services offer them. These are often provided when setting up MFA and tend to be stored once and never looked at again, which is a problem if they’re needed later.
Recovery as an attack vector
Account recovery processes can themselves be targeted. An attacker who can answer your security questions, access your recovery email, or intercept an SMS code sent to your phone can use the recovery process to take over an account even without knowing your password. This is one of the reasons recovery email accounts deserve the same level of security as the accounts they protect, a weak or compromised recovery address is a route around strong credentials elsewhere.
SIM-swapping – where an attacker convinces a mobile carrier to transfer your number to a device they control – can be used to intercept SMS recovery codes. For accounts of particular sensitivity, using an authenticator app rather than SMS for both MFA and recovery codes significantly reduces this risk.
When an account is compromised
If you believe an account has been accessed without your authorisation, act quickly. Change the password immediately, review active sessions and revoke any that aren’t yours, check whether recovery contacts have been altered, and enable MFA if it isn’t already in place. For email accounts in particular, check whether forwarding rules have been added, a common tactic that allows an attacker to continue receiving copies of emails even after a password change.
Report the compromise to the service if appropriate, and review whether any other accounts that used the same password or shared credentials may also be at risk.
