Account Takeover Recovery for Google, Microsoft, and Dropbox: First 24 Hours Checklist

Overview

An account takeover is rarely just a password problem. In many cases, the attacker’s goal is broader: access cloud files, reset other accounts, steal identity data, plant forwarding rules, or use trusted sharing features to phish coworkers and clients. That is why effective account takeover recovery starts with containment first and cleanup second.

The first 24 hours usually break down into five priorities:

1. Regain control of sign-in. If possible, recover the account through the provider’s official flow and immediately change credentials.
2. Stop ongoing access. Sign out other sessions, revoke suspicious devices, rotate app passwords or OAuth grants, and review backup codes or recovery factors.
3. Protect connected systems. Email, file sync apps, password managers, mobile devices, browsers, and single sign-on relationships can all extend the blast radius.
4. Check for file and sharing abuse. Review recent deletions, version history, external shares, mailbox rules, and unusual app activity. This is where cloud file recovery often begins.
5. Document what happened. Screenshots, timestamps, malicious messages, and unauthorized changes help with provider recovery, internal response, and later identity protection steps.

Before you start, use a device you believe is clean. If you clicked a suspicious file-sharing message or entered credentials on a fake sign-in page, avoid continuing from the same browser session until you have checked it for extensions, saved passwords, and malware concerns. If you need a refresher on suspicious links, see Suspicious File Sharing Link Checker: What to Verify Before You Click.

A practical rule: if you still have access, do not rush into deleting everything you do not recognize. First capture screenshots and note timestamps. Attackers often change recovery options, add devices, create sharing links, and alter mailbox rules. Evidence you erase too early can make later recovery harder.

Checklist by scenario

Use the scenario that matches your current state. If more than one applies, work from top to bottom.

Scenario 1: You still have access to the account

This is the best-case compromise scenario. Treat it as active until proven otherwise.

1. Change the password immediately from the provider’s official account page, not from a link in email or chat. Use a new, unique password not used on any other service.
2. Review and update multi-factor authentication. Remove unrecognized devices or authenticators. Replace compromised backup codes. If SMS is your only factor, consider moving to an authenticator app or hardware security key when your provider supports it.
3. Sign out of other sessions and review devices. Look for unfamiliar browsers, locations, or recent sign-ins.
4. Check recovery options. Confirm recovery email addresses, phone numbers, trusted devices, and security prompts have not been altered.
5. Audit third-party app access. Revoke unknown OAuth grants, connected apps, legacy mail clients, and app-specific passwords you no longer need.
6. Review mailbox rules and forwarding. In Google and Microsoft ecosystems especially, attackers may create hidden forwarding, archive, or delete rules to intercept recovery emails and invoices.
7. Review cloud storage activity. Check recent file changes, deletions, version history, external sharing, and newly created folders. If files appear encrypted, renamed, or mass-modified by sync, consult Ransomware and Synced Cloud Drives: How to Recover Clean Versions of Your Files.
8. Check for browser persistence. Remove suspicious browser extensions, clear saved credentials for affected accounts, and review password manager entries.
9. Notify affected contacts if the account sent phishing messages. Keep the message short: say the account was compromised, previous file-sharing emails should be treated as suspicious, and recipients should avoid clicking old links.

Scenario 2: You are locked out of a Google account

For Google account hacked recovery, focus on the official recovery path first, then on Drive and Gmail changes once access is restored.

1. Go directly to Google’s official account recovery flow. Do not trust links from messages claiming your account is suspended or under review.
2. Use a familiar device and location if possible. Recovery systems often look for known sign-in patterns.
3. Answer recovery prompts carefully and consistently. If you are unsure, avoid guessing repeatedly in ways that may look random.
4. After regaining access, change the password and inspect security settings immediately.
5. Review Gmail filters, forwarding addresses, delegated access, and recovery methods.
6. Inspect Google Drive activity. Look for suspicious sharing, moved or deleted files, and modified document permissions. If files were overwritten, see How to Recover Overwritten Files in Google Drive, Dropbox, and OneDrive.
7. Check Google account security events and recent devices. Remove anything unfamiliar.
8. Review linked Google services. Calendar, Contacts, YouTube, and Google Voice can all reveal secondary abuse.

If the takeover started with a fake Google Drive email or file-sharing lure, review Google Drive Scam Alerts: How to Spot Fake File Sharing Emails and Notifications after the account is stable.

Scenario 3: You are locked out of a Microsoft account

Microsoft account recovery after phishing often overlaps with Outlook, OneDrive, and sometimes Windows sign-in exposure. Prioritize the account, then OneDrive content and mailbox abuse.

1. Use Microsoft’s official recovery tools from a clean browser session.
2. Reset the password and review sign-in activity as soon as access returns.
3. Check security info. Remove unknown phone numbers, alternate emails, authenticator registrations, or backup methods.
4. Inspect Outlook rules, forwarding, and inbox organization settings. Attackers often hide security notices in RSS, Archive, or deleted folders.
5. Review OneDrive activity. Check recent file operations, unusual shares, and mass deletions. If you need restore options, compare version and trash methods in Version History vs Trash Recovery: Which Cloud Restore Method You Should Try First.
6. Check devices tied to the Microsoft account. On personal setups, this may include Windows PCs, Office apps, browsers, and authentication prompts.
7. Revoke app access you do not recognize. Legacy clients and connected apps can persist after a password reset.

If the entry point was a document-sharing lure, this related guide may help: OneDrive Phishing Scams: How to Verify Shared File Links Before You Open Them.

Scenario 4: Your Dropbox account was compromised

When a Dropbox account hacked case involves synced desktops, think about both cloud actions and local propagation.

1. Reset the password using Dropbox’s official site.
2. Review active web sessions and linked devices. Unlink devices you do not recognize.
3. Check connected apps and API access. Remove integrations you no longer trust.
4. Review recent file changes, deletions, and shared links. Attackers may quietly create long-lived shared access rather than visibly deleting files.
5. Inspect team folders or shared workspaces carefully. Shared environments widen the incident impact.
6. Pause local sync on devices you suspect are affected. This can help limit further destructive sync while you assess what changed.
7. Use version history and deleted file recovery promptly. Recovery windows matter; see Cloud File Recovery Time Limits: Google Drive, Dropbox, OneDrive, iCloud, and Box.

Scenario 5: Files are missing, overwritten, or encrypted after takeover

At this stage, the incident has moved from identity protection into file recovery. Work carefully so you do not destroy clean versions.

1. Pause sync on affected endpoints if destructive changes are still propagating.
2. Identify whether the issue is deletion, overwrite, permission loss, or ransomware-style encryption. The recovery path differs for each.
3. Check trash or deleted items first.
4. Then check version history for important files and folders.
5. Review external shares and ownership changes. A file may not be gone; it may have been moved or permissions may have changed.
6. Compare cloud restore with any independent backup. Backup and sync are not the same protection layer; see Cloud Backup vs Cloud Sync for File Recovery: What Actually Protects You.
7. Use caution with third-party recovery tools. Do not upload sensitive files to unvetted services during an active incident. This guide can help: Safe File Recovery Tools: How to Vet Software Before Uploading or Scanning a File.

Scenario 6: You entered credentials on a phishing page but do not know whether the attacker logged in

Treat this as a likely compromise, not a near miss.

1. Change the password immediately.
2. Reset MFA if the phishing flow may have captured a code.
3. Sign out other sessions.
4. Review recent sign-in history and security events.
5. Rotate any reused password on other services. Email, password managers, and financial logins are top priority.
6. Monitor inbox and cloud storage for subtle changes over the next several days.
7. If the phishing page requested personal data beyond login details, move into identity protection steps.

What to double-check

Once the account appears stable, slow down and verify the items most often missed in the first pass.

• Recovery settings: phone numbers, alternate emails, backup codes, trusted devices.
• Mailbox persistence: forwarding rules, filters, delegated access, hidden folders, archive rules.
• Third-party access: OAuth grants, app passwords, IMAP/POP access, API tokens, automation tools.
• Sharing exposure: public links, external collaborators, inherited folder permissions, team access.
• File integrity: recent versions of critical documents, renamed folders, missing ownership, corrupted sync states.
• Browser and endpoint state: saved passwords, cookies, suspicious extensions, remote access tools, unmanaged devices.
• Password reuse: if the compromised password was reused anywhere, assume those accounts need attention too.

If you suspect the attacker used your account to access regulated or confidential data, your next actions may involve internal security or legal processes. Even then, the same practical checklist applies: preserve evidence, contain access, and verify file exposure before making assumptions.

For recovery planning, it also helps to know which restore option to try first and how long restore windows may last. Two useful references are Version History vs Trash Recovery: Which Cloud Restore Method You Should Try First and Cloud File Recovery Time Limits: Google Drive, Dropbox, OneDrive, iCloud, and Box.

Common mistakes

These are the errors that make recovery slower or increase the chance of repeat compromise.

1. Using links from the suspicious message to fix the problem. Always navigate to the provider directly.
2. Changing the password but leaving attacker persistence in place. Recovery emails, forwarding rules, and app tokens can survive a password reset.
3. Continuing to sync from a compromised device. If malware or destructive scripts are involved, sync can spread damage.
4. Ignoring file shares. Attackers may prefer silent access over visible deletion.
5. Overlooking identity exposure. If the phishing kit collected addresses, phone numbers, payment data, or ID documents, the incident goes beyond cloud access.
6. Not documenting what changed. Timestamps, screenshots, and affected folders help with support and internal review.
7. Trying random recovery steps repeatedly. This can complicate provider recovery systems and blur your evidence trail.
8. Trusting any recovery tool during panic. Vet software and services carefully before uploading sensitive content. If you are comparing options, start here: Best Cloud File Recovery Tools and Services: Features, Limits, and Privacy Tradeoffs.

When to revisit

This checklist is most useful when it is reviewed before an incident, immediately after one, and after any meaningful change to your workflow.

Revisit it when:

• You change MFA methods such as moving from SMS to an authenticator app or security key.
• You add or remove sync clients, devices, or browsers.
• Your organization changes file-sharing patterns such as more guest links, external collaboration, or QR-based login flows.
• You adopt new automation tools or third-party integrations.
• Seasonal planning cycles begin, especially before travel, hiring bursts, or holiday periods when phishing volume often rises.

For practical readiness, make a short personal version of this article and store it somewhere you can reach without the compromised account. Include direct bookmarks to your provider’s account security page, your password manager emergency process, your backup location, and your internal reporting path if you have one.

A final first-24-hours action list to keep on hand:

1. Recover or reset access from the provider’s official site.
2. Change the password and rotate compromised factors.
3. Sign out other sessions and remove unknown devices.
4. Review recovery settings, forwarding rules, and third-party access.
5. Check cloud files for deletion, overwrite, sharing abuse, or ransomware-style changes.
6. Pause sync on suspect devices if file damage is ongoing.
7. Document evidence and warn impacted contacts.
8. Monitor related accounts for password reuse and identity theft risk.

If you need to recover cloud files after the account is secure, continue with provider-specific restore steps rather than ad hoc tool downloads. Start with version history, trash recovery, and retention windows before moving to third-party software. That sequence is slower than panic, but it is usually safer.