The Account Takeover Runbook

Start reviewing the account from a secure machine.

For most of these steps, you will want to eliminate malware as a factor. Grab a cheap Chromebook or use a machine that is outside of the current blast radius.

Remove SMS Dependencies.

Phone companies have an atrocious security record around SMS forwarding, porting, and SIM registering. Before going forward, you may want to consider setting up a Google Voice SMS number, or finding a more trusted phone for the victim. This may not be necessary if you can somehow rule out SMS or cellular related attacks.

Reset the password.

This step is complicated if you believe the victim’s webmail is also compromised. If this seems to be the case, you may be better off starting by locking down a victim’s webmail first. Otherwise an attacker is on even footing with you, and will regain access easily.

Enable Multifactor / Two Step / Two Factor / Login Approvals

If you’re comfortable receiving SMS codes for your victim, that will be helpful. Otherwise, OTP based multifactor is always preferred if a victim can manage it.

Inspect Sessions / Destroy Sessions

At this point, and throughout, you should keep an eye on any features this account gives you to observe sessions or changes in progress and make sure no adversary hops into the account while you are mitigating it.

Remove applications that are unnecessary, suspicious, or unfamiliar.

Nearly every company has an application platform you can authorize external access into an account with.

Secure any linked accounts or remove maliciously added accounts.

Products like Instagram, Facebook, LinkedIn, etc, have a concept of “Linked Accounts” that will repeat content across services. Quickly check to make sure that any linked accounts are also locked down, or were not placed there intentionally. This may not matter as much depending on the content and whether it’s all public anyway.

Review recovery addresses for attack, or secure any existing accounts.

Many services have some recovery address feature in a not-so-obvious place.

Remove unknown phone numbers or vulnerable phone numbers.

If phone numbers are added or modified in an attack, they’re often available for use in password reset processes.

Review forwarding and filters that are pushing data externally.

Remove any “Application Specific Passwords” that will bypass auth.

App specific passwords are generally created when you’ve got to authenticate something that must bypass multifactor auth, or simply can’t prompt the user for a password every time.

Review devices that might be authenticated to the account.

Sometimes “Devices” might be an important aspect of multifactor or authentication. For instance, you’ll see devices in iCloud that will be a part of authentication. Keep an eye out for any features like this.

Facebook: Make sure “Trusted Contacts” was set up intentionally.

Facebook has a feature to allow you to regain access to your account via trusted friends. If this was not set up by the victim, it would be problematic and allow for future access.

Facebook: Make sure “Legacy Contact” was set up intentionally.

Similarly, in Facebook, you can have an account transition to someone else upon memorialization (if Facebook receives proof that you’ve died).

Profile Picture Login

Facebook has a “Profile Picture Login” feature you should make sure is not authorized on any devices that are unknown.

Upon a regression, reconsider the vector.

If a victim is compromised repeatedly after combing through their accounts and removing malicious access, there may be an underlying platform issue to consider.


Review extensions in the browser for anything unfamiliar or unused. Keep in mind that seemingly innocuous extensions, intentionally installed by the victim, even if they are tech-saavy, can be bought and sold by miscreants and used for evil.


If the browser is clean, sessions or passwords may be taken from the host itself from a malware issue. Malware cleanup out of scope from this runbook.


If dealing with a hilarious prank, or a physical threat, consider if a keylogger is installed physically on the device.


If there are corporate MITM or other CA’s installed on the victim to perform a MITM attack, consider how they would be exposed.

Unreliable Victim

Is the victim logging into the malware ridden computer in the other room they haven’t told you about? Start over.


I write security stuff on medium.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store