Full Report
This is a guide on how to check whether someone compromised your online accounts.
Analysis Summary
# Best Practices: Account Security and Compromise Investigation
## Overview
These practices focus on proactive security measures and reactive steps individuals should take immediately if they suspect unauthorized access to major online accounts (email, social media, chat apps) to prevent data theft, financial loss, or stalking.
## Key Recommendations
### Immediate Actions (Response to Suspected Compromise)
1. **Review Active Sessions:** Immediately check the "Last account activity" or "Active Sessions" dashboard for all critical services (Gmail, Outlook, Discord, Telegram).
2. **Identify Unrecognized Activity:** Look for logins from unknown geographic locations, unrecognized devices, or unexpected times across all monitored services.
3. **In Google Accounts (Gmail):**
* Navigate to the bottom right of the inbox, click "Details" under "Last account activity."
* Review active locations and devices shown on the Security Checkup.
* If suspicious activity is found, immediately click "See unfamiliar activity?" and change the password.
4. **In Discord:** If an unknown device is listed under "Devices," log out of that session or use the "Log Out of All Known Devices" option if necessary (MFA will be required to confirm actions).
5. **In Telegram:** Go to Settings > Active Sessions and choose "Terminate all other sessions" to log out of all unknown devices simultaneously, or terminate suspicious individual sessions.
6. **Change Password Post-Investigation:** After identifying and logging out unauthorized sessions, change the password for the affected primary account (especially email), as this often forces sign-out on all devices (except those required for re-verification).
### Short-term Improvements (1-3 months)
1. **Enable Multi-Factor Authentication (MFA/2FA):** Enable MFA on all critical accounts (email, banking, primary social media) using the strongest available methods.
2. **Review Third-Party Access:** Review and revoke access for any unknown, unnecessary, or outdated applications connected to core services (e.g., check "Authorized App" access in Discord).
3. **Review Linked External Accounts:** Check which external services are connected directly to primary accounts (e.g., "Connections" in Discord) and deauthorize any unnecessary links.
4. **Configure Auto-Logout Policies:** If available (e.g., in Telegram), set up automatic termination for sessions older than a defined period (e.g., 1 or 3 months).
### Long-term Strategy (3+ months)
1. **Adopt Hardware Security Keys:** For high-risk accounts (especially Google using Advanced Protection), procure and implement physical security keys as the strongest form of MFA.
2. **Investigate Passkey Adoption:** Explore enabling passkeys stored in a reputable password manager as an advanced safeguard against phishing and infostealer malware.
3. **Implement Advanced Protection Programs:** Enroll critical accounts, such as Google accounts, into Advanced Protection Programs offered by the service provider if the user faces elevated risk (e.g., journalists, activists).
4. **Maintain Updated Guides:** Regularly revisit security resource guides for platforms to ensure internal procedures reflect the latest configuration options and instructions.
## Implementation Guidance
### For Small Organizations (Focusing on Owner/Key Personnel Accounts)
- **Prioritize Email & Admin Access:** Implement MFA immediately on the primary organizational email account and any administrative credentials.
- **Use MFA Alternatives:** Utilize robust Authenticator Apps (e.g., Microsoft Authenticator, Duo Mobile, Authy) if hardware keys are not immediately feasible.
- **Basic Reconnaissance:** Train key personnel on how to check device logins for their main accounts (Google, Microsoft) monthly.
### For Medium Organizations (Establishing Standard Procedures)
- **Standardize MFA Rollout:** Mandate MFA enrollment across all employees for all corporate services (Email, VPN, SaaS tools). Document the enabling process clearly.
- **Centralized Audit:** Establish a procedure to periodically audit user sessions and connected third-party applications for major services used by the organization.
- **Documentation Source:** Leverage external MFA directories to create internal documentation on enabling 2FA for the top 20 crucial business applications.
### For Large Enterprises (Risk Management and Advanced Controls)
- **Advanced Protection Rollout:** For executive, finance, or high-value assets, deploy physical security keys and enforce equivalent hardware-backed authentication methods.
- **Security Checkup Automation:** Integrate security monitoring tools to alert security teams when high-risk activities (like new device logins from unknown geographic regions) are detected in centralized identity management systems.
- **Incident Response Plan Integration:** Ensure the procedure for suspected account compromise is integrated into the broader organizational Incident Response Plan, including mandatory professional consultation for high-risk individuals.
## Configuration Examples
| Service | Configuration Action | Technical Step |
| :--- | :--- | :--- |
| **Google Account** | Detect/Revoke Unknown Sessions | Scroll to "Last account activity" > Click "Details" > Review devices > Click "Security Checkup" > Log out unrecognized devices. |
| **Google Account** | Enforce Strongest Security | Enroll in the Advanced Protection Program (Requires Security Keys). |
| **Discord** | Review Third-Party Access | Navigate to Settings > Authorized Apps > Click "Deauthorize" on unknown applications. |
| **Telegram** | Session Management | Navigate to Settings > Active Sessions > Click "Terminate Session" or "Terminate all other sessions." |
| **Telegram** | Session Aging Policy | Configure automatic logouts for sessions inactive past a chosen threshold (e.g., 1 month). |
## Compliance Alignment
- **NIST CSF (SP 800-63B):** Alignment with Identity Assurance Level (IAL) requirements, specifically around strong authentication mechanisms (MFA, FIDO/Passkeys).
- **ISO/IEC 27001 (A.9 Access Control):** Directly addresses the need for regular review of access rights and authentication mechanisms for user accounts.
- **CIS Controls v8 (Control 5: Account Management / Control 6: Access Control Management):** Emphasizes the need to review and revoke unauthorized access and implement MFA across critical systems.
## Common Pitfalls to Avoid
1. **Relying Solely on Password Change:** Changing a password logs out most sessions, but some services retain access for third-party apps or "trusted devices." Always follow up by manually reviewing and removing third-party access.
2. **Ignoring MFA Setup:** Failing to enable MFA, especially on a primary email account, leaves the entire digital identity vulnerable to a single credential leak.
3. **Skipping High-Risk User Review:** Assuming that only high-profile individuals need the highest security measures (like hardware keys). Any account tied to banking or sensitive communications warrants maximum protection.
4. **Not Reviewing Device List:** Assuming that logging into an unrecognized location is impossible without checking the active sessions dashboard on the service itself.
## Resources
- **Directory of Websites with MFA Support:** A resource detailing setup instructions for enabling multi-factor authentication across numerous websites (Use this for guidance on *how* to enable MFA).
- **Authenticator App Alternatives:** Microsoft Authenticator, Duo Mobile, Authy (Consult these for recommended MFA app solutions).
- **Access Now Digital Security Helpline:** A resource for journalists, dissidents, or individuals in high-risk situations needing expert assistance with a suspected compromise.
- **Google Advanced Protection Program Documentation:** Official guides detailing the implementation of hardware security keys for maximum protection against phishing.