Question 1

What should I do right now if my account was just compromised?

Accepted Answer

First — if you can still access the account, change the password from a clean device, enable two-factor authentication using an authenticator app (not SMS), and review recent sign-in activity to identify the unauthorized session. Second — sign out of all sessions everywhere. Third — call us. Most account-compromise cases involve more than the password (recovery email or phone changed, OAuth tokens issued to attacker apps, mailbox forwarding rules planted), and a password reset alone does not actually evict the attacker. The earlier the forensic audit happens, the more recoverable evidence we capture.

Question 2

How is forensic recovery different from a password reset?

Accepted Answer

A password reset blocks the attacker from logging in with the stolen password. A forensic recovery does much more: identifies which sessions were active and from where, lists OAuth-authorized apps the attacker may have granted themselves, finds inbox forwarding rules and filters that exfiltrate future mail, audits recovery email and phone for unauthorized changes, examines metadata to determine what the attacker accessed, and produces a written report you can act on (insurance, law enforcement, civil litigation). Without that audit, attackers commonly retain access through OAuth tokens and forwarding rules even after a password change.

Question 3

Can you find out who the attacker was?

Accepted Answer

Sometimes — depending on what artifacts the platform retained, whether the attacker used a VPN or anonymization, and whether there is law-enforcement or subpoena leverage. We can usually identify IP addresses, device fingerprints, geographic patterns, and timing of access. Attribution to a specific named individual typically requires either a clear pattern (e.g., a known person with means and motive — common in domestic situations) or law-enforcement escalation. We are honest about what attribution is and is not realistic in your specific case.

Question 4

How much does account-compromise recovery cost?

Accepted Answer

You have two ways to work with us. Run the investigation yourself in the SleuthX tool for $995 once — lifetime access, with usage metered from a prepaid balance you top up anytime. Or have our team do it for you in a done-for-you device package: $2,000 for one device, $5,000 for three, $7,000 for five, each including the $995 lifetime license. Multi-account or business-tier compromises beyond a package (Microsoft 365 tenants, multiple personal accounts plus a small business, or compromises with downstream financial fraud) are scoped per case at a flat $400/hour, with no multipliers. Sliding-scale pricing is available where the loss already hurts financially — that conversation happens on the first call, not buried in fine print.

Question 5

How long does account-compromise recovery take?

Accepted Answer

Active containment (sign-outs, OAuth audit, forwarding-rule cleanup, MFA hardening) is typically the same day or within 24 hours. The full forensic audit and written report usually take 5–10 business days, depending on platform (Microsoft 365 unified audit log review takes longer than a single Gmail account) and scope. Where there is downstream fraud, financial-crime documentation, or insurance / litigation timelines, the work is structured around your deadlines.

Question 6

Will my data be safer afterward?

Accepted Answer

Yes — substantially. The deliverable is not just an incident report; it is a hardened account with documented changes: app-specific passwords audited, OAuth tokens revoked except for known-good apps, recovery contacts verified, MFA enforced, login alerts enabled, and a written record of what was changed and why. We also map the broader exposure (other accounts that share the compromised credentials, third-party services with stored payment methods or personal data) and either close those gaps directly or hand you a prioritized punch list.

Question 7

Can the report be used for insurance, law enforcement, or in court?

Accepted Answer

Yes. The forensic report is written to court-admissible standards — chain of custody documented, methodology disclosed, findings supported by artifact evidence. Reports have been used for cyber-insurance claims, IC3 filings, FTC identity-theft reports, civil litigation against responsible parties, and where applicable, criminal-referral packages for state attorneys and federal investigators. We do not produce "good enough for the insurance company" reports; the standard is the same regardless of the eventual use.

Account Compromise Recovery

What this service does

What we will not do

Google, Facebook, or Gmail account hacked?

How an engagement begins

Why this work matters

Quinnlan Varcoe

A confidential, structured engagement.

Confidential Consultation

Scoped Engagement

Investigation and Findings

Frequently asked about account compromise

Schedule a confidential consultation