Written by Quinnlan Varcoe, digital forensics examiner. Updated July 2026.
This guide is for the moment afteryou know. Someone had your phone — unlocked, for minutes or for months — or knows the passwords that control it. If you are still at the “is something wrong?” stage, start with is someone monitoring my phone instead. Here, we assume access happened, and walk what to change, in what order, so the person actually loses access — without destroying evidence you may need, and without tipping them off before you are ready.
STOP — locking them out is visible the moment you do it
Every step on this page — signing out their sessions, changing passwords, calling the carrier — tells the person they’ve been cut off the moment you do it. If the person is a partner, an ex, or anyone whose reaction you have reason to fear, that moment matters more than any technical step here.
Safety-plan first: from a device they have never touched, consider calling the National Domestic Violence Hotline — 800-799-7233— or an advocate before you sever access, so the lockout happens on your timeline, not theirs. There is no technical urgency that outranks your safety.
Preserve evidence before you change anything
Recovery and evidence pull in opposite directions: every password change and sign-out overwrites traces of what happened. If there is any chance you will want a protective order, a police report, or a civil case, fork here before the cleanup:
- Photograph what you can see from a separate device — sign-in alerts, unfamiliar sessions, forwarded emails, shared-location screens — and write down the timeline while it is fresh.
- Do not factory-reset or delete anything yet. If monitoring software may be on the phone, the evidence of who installed itlives in exactly the things a cleanup destroys — see stalkerware detection and removal for how preservation works, and how to report digital evidence to law enforcement for what a usable report needs. A forensic image taken before recovery keeps everything in court-ready form.
Step 1: take back the control plane — from a clean device
Do not start with the phone. Start with the accounts that control the phone — your email and your Apple ID or Google account — and do it from a device the person has never had: a work computer, a library computer, a trusted friend’s laptop. If they know your passwords, anything you type on a device they can see is already theirs.
- Email first.Your inbox is the master key — every “reset password” link lands there. Change the password, then check the two places intimate-partner access hides: forwarding rules and filters (mail silently copied or deleted before you see it) and app passwords / connected apps (standing access that survives a password change). Then sign out all other sessions.
- Apple ID / Google account next. Change the password, then review every signed-in deviceand remove the ones that aren’t yours — each one can read what your account syncs. Review recovery methods: a recovery email, phone number, or contact they control quietly undoes everything else. On iPhone, Apple’s Safety Check walks the sharing and access surfaces in one pass.
- Then the accounts that matter most— banking, cloud storage, social — in that order, same pattern: password, sessions, recovery methods, connected apps. If they knew your answers to security questions, change the answers to something they can’t guess (they don’t have to be true).
Step 2: your carrier and SIM
The phone number is a recovery channel for almost everything, and carrier access is the channel generic guides skip — especially when the person is on your plan:
- Set or change the carrier account PINand, if offered, enable a port-freeze / number-lock so the number can’t be moved to a new SIM without extra verification — the SIM-swap defense.
- Audit the line itself: call-forwarding settings, and any carrier-level location or “family locator” features attached to your line.
- If you share a family plan with the person, the plan owner can often see call/text records and line settings no matter what you do on the handset.The durable fix is splitting your line onto your own account — carriers have processes for this, and advocates (or the hotline above) know the words to use, including in DV situations.
Step 3: re-enroll two-factor the right way
Two-factor only helps if the second factor is yours alone. Done in the wrong order, it locks the door with their key inside:
- Remove the compromised phone as a trusted factor first — if the phone (or the number, per Step 2) still receives your codes, 2FA is currently protecting them, not you.
- Enroll a factor they can’t reach: an authenticator app on a clean device, or better, a hardware security key.
- Regenerate backup codes everywhere.Old backup codes — screenshotted, printed, or synced into a shared note — keep working after every other change. Regenerating voids the set they may have.
Step 4: the phone itself — reset or replace?
Only now, with the accounts and number yours again, deal with the handset. The honest decision matrix:
- Factory reset is usually enoughwhen the concern is an app they installed and you have preserved what you need (or decided you don’t need evidence). Set it up as new— restoring the old backup can restore the problem — and let apps re-download fresh.
- Reset is not enoughwhen a management (MDM) profile you can’t explain is on the device, when you can’t rule out that they still control an account the phone will re-sync with, or when the evidence question is still open — a reset is the most evidence-destructive act available.
- Replace the device when the history is long, the person is technically capable, or you simply need to trust your phone again more than you need to salvage this one. A new device, set up as new, signed into accounts you rotated from a clean device, is the clean break.
If you want confirmation, not guesswork
The steps above sever access. What they can’t tell you is what was taken, when, and by whom — or give you documentation that stands up later. A forensic examination can: what was on the phone, how it got there, and a court-ready record of both. That is our stalkerware detection and removal service; for ongoing hardening after recovery — passwords, 2FA, device hygiene, exposure reduction — see privacy services for individuals. If an account is still locked or taken over, account compromise recovery covers the account-by-account fight.
















