← Home security index

Response

Recovery and incident first actions: plan the bad half hour

Prevention matters. So does getting back in, preserving evidence and stopping a bad moment from becoming a month-long admin disaster.

Nigel version

Protect email, phone number, backup codes, password-manager recovery and backups. Test one restore before it matters.

FIDO2 USB token
Wikimedia Commons: FIDO2 USB token
Network firewall appliance
Wikimedia Commons: firewall appliance
YubiKey 5C NFC security key
Wikimedia Commons: YubiKey 5C NFC

First-30-minutes builder

The bad half hour needs a script

Most recovery mistakes happen while people are stressed: approve the prompt, wipe the phone, reset from the infected laptop, forget the telco. Pick the incident, then build the first moves.

0-5 minStop the reflexready5-15 minMove to clean groundready15-30 minLock the master keysreadyFirst dayRecord and reviewneeds prepphone number is still soft

Plan for: Strange MFA prompt

  • Do not approve the prompt.
  • Change the account password from a clean device.
  • Revoke sessions, then check recovery email, phone and forwarding rules.

Recovery posture

2 prep items still weak. Fix them while everyone is calm.

Explain the jargon

Small terms, big consequences

Tap a term for the plain-English version and the practical move. No fake mystique, just the bit that changes what you do at home.

?Clean device

A device you do not suspect is compromised. It might be another phone, a patched family laptop or a freshly reset machine.

Do this: Use it for password resets and session revocation when the main device may be infected or stolen.

?Recovery codes

One-time backup codes that get you back into an account when the usual MFA device is gone.

Do this: Store them somewhere safe before the bad day. Do not leave recovery dependent on one phone.

?Evidence first

Screenshots, timestamps, sender details and device names can matter for banks, telcos, work and police reports.

Do this: Capture facts before panic-wiping, unless safety or policy requires immediate isolation.

Do this

  • Protect telco accounts with strong passwords/MFA/port-out controls where available.
  • Store backup codes and password-manager recovery safely.
  • Test restoring one normal file.
  • Know how to revoke sessions and reset from a clean device.
  • Capture screenshots, timestamps and device details before panic-wiping.

Check

  • Can email recover without the main phone?
  • Are telco controls enabled?
  • Can you restore a file?
  • Are codes reachable?
  • Does family know what a strange MFA prompt means?

Avoid

  • Recovery depending on one phone.
  • Approving strange MFA prompts to quiet them.
  • Destroying evidence before fraud/work impact is assessed.

Full guidance

More than a slide title

An incident timeline builder for the first 30 minutes and first day.

First 30 minutes

Use a clean device, change the most important password first, revoke sessions, contact bank/telco/work if relevant, and preserve evidence.

First day

Review account recovery settings, connected devices, mail forwarding rules, payment changes and cloud sharing.

Backups

Cloud sync is not the same as backup. Deletion and ransomware can sync too. Keep a second copy for files that matter.

Email first, then the accounts it can reset

Most household recovery paths route through email. If email is exposed, changing a bank, social or cloud password may not hold because the attacker can still receive reset links. Secure email from a clean device, revoke sessions, check forwarding rules, then move down the account list.

Telco and identity recovery are admin jobs, not panic jobs

A phone number can sit behind MFA prompts, bank checks and password resets. If the SIM, number or identity documents are involved, slow down enough to record times, contact the provider, report where appropriate, and protect the document trail. Panic-wiping the only evidence helps the wrong person.

Scenario

Strange MFA prompt

A login prompt appears while nobody is logging in.

Better response

  • Do not approve
  • Change password from clean device
  • Revoke sessions

Worse habit

Approving it because the notification is annoying.

Email account feels wrong

A password reset email appears, mail is missing, or friends receive odd messages from the account.

Better response

  • Secure email first from a clean device
  • Check forwarding rules and recovery settings
  • Revoke active sessions
  • Then reset high-value linked accounts

Worse habit

Changing a few visible passwords while the email account still controls resets.

SIM or identity trouble

The phone loses service, bank checks fail, or a provider says account details changed.

Better response

  • Contact the telco through a known-good channel
  • Record times, screenshots and case numbers
  • Contact banks and key accounts
  • Report identity theft where needed

Worse habit

Assuming it is a reception problem while reset codes and bank checks keep routing through the number.

More pages

Routers & Wi‑FiPasswords & MFAUpdates & AppsVPNs & ProxiesFamily RulesSmart HomeWork BoundaryAI AgentsRecoveryHome DevOnline SafetyProducts