Active Incident? 24/7 Response →
SleuthX

Read this first

Are you on a device or network the person can see?

  • If they might be able to see this device, use one they can’t access — a friend’s phone, a library or public computer, or a domestic-violence shelter’s safe device. If you continue here, your visit may be visible on a synced iCloud, Google account, or shared family plan.
  • If you think spyware or stalkerware is on this device, removing it can alert the person monitoring you and can destroy evidence. Make a safety plan — ideally with a domestic-violence advocate — before you remove anything, and use a device they can’t access in the meantime.
  • The Quick Exit button(top right) replaces this page with weather.com immediately — but it does noterase this visit from your history, and private/incognito mode doesn’t fully hide it either. To be safe, use a device the person can’t access.
  • If you’re in immediate danger, call 911. If you have a few quiet minutes, keep reading.

National Domestic Violence Hotline: 1-800-799-7233 · text START to 88788 · thehotline.org — 24/7, free, confidential.

988 Suicide & Crisis Lifeline: call or text 988 · 988lifeline.org — free, confidential crisis and emotional support, 24/7.

NNEDV Safety Net: techsafety.org — technology-safety help for survivors.

Device Recovery Guide

What to Do If Someone Has Access to Your Phone

When the person who had your phone is someone you know — a partner, an ex, someone close — they may know your passcode, your passwords, and your recovery answers. Generic “hacked phone” advice doesn't cover that. This is the recovery order that does.

Written by Quinnlan Varcoe, digital forensics examiner. Updated July 2026.

This guide is for the moment afteryou know. Someone had your phone — unlocked, for minutes or for months — or knows the passwords that control it. If you are still at the “is something wrong?” stage, start with is someone monitoring my phone instead. Here, we assume access happened, and walk what to change, in what order, so the person actually loses access — without destroying evidence you may need, and without tipping them off before you are ready.

STOP — locking them out is visible the moment you do it

Every step on this page — signing out their sessions, changing passwords, calling the carrier — tells the person they’ve been cut off the moment you do it. If the person is a partner, an ex, or anyone whose reaction you have reason to fear, that moment matters more than any technical step here.

Safety-plan first: from a device they have never touched, consider calling the National Domestic Violence Hotline — 800-799-7233— or an advocate before you sever access, so the lockout happens on your timeline, not theirs. There is no technical urgency that outranks your safety.

Preserve evidence before you change anything

Recovery and evidence pull in opposite directions: every password change and sign-out overwrites traces of what happened. If there is any chance you will want a protective order, a police report, or a civil case, fork here before the cleanup:

Step 1: take back the control plane — from a clean device

Do not start with the phone. Start with the accounts that control the phone — your email and your Apple ID or Google account — and do it from a device the person has never had: a work computer, a library computer, a trusted friend’s laptop. If they know your passwords, anything you type on a device they can see is already theirs.

  1. Email first.Your inbox is the master key — every “reset password” link lands there. Change the password, then check the two places intimate-partner access hides: forwarding rules and filters (mail silently copied or deleted before you see it) and app passwords / connected apps (standing access that survives a password change). Then sign out all other sessions.
  2. Apple ID / Google account next. Change the password, then review every signed-in deviceand remove the ones that aren’t yours — each one can read what your account syncs. Review recovery methods: a recovery email, phone number, or contact they control quietly undoes everything else. On iPhone, Apple’s Safety Check walks the sharing and access surfaces in one pass.
  3. Then the accounts that matter most— banking, cloud storage, social — in that order, same pattern: password, sessions, recovery methods, connected apps. If they knew your answers to security questions, change the answers to something they can’t guess (they don’t have to be true).

Step 2: your carrier and SIM

The phone number is a recovery channel for almost everything, and carrier access is the channel generic guides skip — especially when the person is on your plan:

Step 3: re-enroll two-factor the right way

Two-factor only helps if the second factor is yours alone. Done in the wrong order, it locks the door with their key inside:

  1. Remove the compromised phone as a trusted factor first — if the phone (or the number, per Step 2) still receives your codes, 2FA is currently protecting them, not you.
  2. Enroll a factor they can’t reach: an authenticator app on a clean device, or better, a hardware security key.
  3. Regenerate backup codes everywhere.Old backup codes — screenshotted, printed, or synced into a shared note — keep working after every other change. Regenerating voids the set they may have.

Step 4: the phone itself — reset or replace?

Only now, with the accounts and number yours again, deal with the handset. The honest decision matrix:

If you want confirmation, not guesswork

The steps above sever access. What they can’t tell you is what was taken, when, and by whom — or give you documentation that stands up later. A forensic examination can: what was on the phone, how it got there, and a court-ready record of both. That is our stalkerware detection and removal service; for ongoing hardening after recovery — passwords, 2FA, device hygiene, exposure reduction — see privacy services for individuals. If an account is still locked or taken over, account compromise recovery covers the account-by-account fight.

Primary sources

  1. NNEDV Safety Net (techsafety.org), Technology safety planning for survivors. https://www.techsafety.org/spyware-and-stalkerware-phone-surveillance
  2. Apple, How Safety Check on iPhone works to keep you safe. https://support.apple.com/guide/personal-safety/how-safety-check-works-ips2aad835e1/web
  3. Coalition Against Stalkerware, Information for survivors. https://stopstalkerware.org/information-for-survivors/

Meet Your Practitioner

Quinnlan Varcoe

Founder & CEO

GIAC-certified · 9 industry certifications

With operational experience across Fortune 50 security programs and the defense industrial base, Quinnlan founded SleuthX in 2022 to provide clients with the caliber of expertise typically reserved for the largest enterprises. Her work in threat intelligence and digital forensics has earned the trust of 26,000+ cybersecurity professionals who follow her analysis.

“26,000 professionals follow my work because I say what others won't — and I can back it up technically.”

Fortune 50 BackgroundDefense IndustryThreat IntelligenceDigital PrivacyIncident Response
Quinnlan Varcoe, Founder & CEO

Certified Expertise

GIAC

Transparent pricing

Trusted by partners across the practice

DAS Health
Exhibit A Cyber
Ally Security
KIRO Group
Black Mirage
Kalles Group
Gridware
CQR
Archstone Security
Cyvergence
Sentinel Cyber
Cloud Underground
Seron Security
Hexen
Koru Risk Management
DAS Health
Exhibit A Cyber
Ally Security
KIRO Group
Black Mirage
Kalles Group
Gridware
CQR
Archstone Security
Cyvergence
Sentinel Cyber
Cloud Underground
Seron Security
Hexen
Koru Risk Management