Secure your email account immediately (this is the master key to resetting all other services), revoke all active sessions, change passwords for all critical accounts (banking, email, social media), and enable two-factor authentication. File a fraud report with the FTC (identity theft.gov) and place fraud alerts with credit bureaus (Equifax, Experian, TransUnion). Monitor credit reports monthly for unauthorized accounts, set up breach monitoring services like Have I Been Pwned alerts, and consider a credit freeze to prevent new accounts opened in your name. For developers: audit all API tokens and SSH keys with access to repositories or infrastructure, assume any stored credentials are compromised, and rotate them across all services.

Immediate Actions: The First Hour

When you suspect identity theft, the first priority is limiting the attacker’s access. Assume that any compromised credentials are actively being used against you.

Lock Down Compromised Accounts

Start with your email account—this is often the key to resetting every other service. If attackers control your email, they can request password resets for everything else.

For Gmail users, review recent account activity:

# Check recent account access (navigate to myaccount.google.com)
# Use Google's Security Checkup to see all active sessions
# Revoke all unrecognized sessions immediately

If you still have access, change your password immediately and enable two-factor authentication (2FA). If you’ve been locked out, use account recovery options and prepare documentation for each service’s support team.

Revoke OAuth Tokens and API Keys

For developer accounts, attackers may have created or stolen OAuth tokens or API keys. Check your GitHub, AWS, Google Cloud, and similar services for unauthorized applications:

# GitHub: Review and revoke OAuth authorizations
# Navigate to Settings > Applications > Authorized OAuth Apps
# Review each application and revoke suspicious ones

# AWS: Check for unauthorized IAM users or access keys
aws iam list-users
aws iam list-access-keys

Sign Out Everywhere

Force-sign out of all sessions on compromised accounts. Most major services offer this option in security settings.

Account Recovery Process

After securing immediate access, systematically work through each affected account.

Priority Order for Recovery

1. Email accounts (primary and secondary)
2. Financial accounts (banking, credit cards, payment processors)
3. Password managers and identity providers
4. Social media accounts
5. Developer accounts (GitHub, AWS, cloud providers)
6. Other services

Document Everything

Create a secure log of the incident:

# Create an incident tracking document
mkdir -p ~/security-incidents/$(date +%Y-%m-%d)-identity-theft
cd ~/security-incidents/$(date +%Y-%m-%d)-identity-theft

# Log each action taken
echo "2026-03-16 10:30: Changed Gmail password" >> log.txt
echo "2026-03-16 10:45: Revoked OAuth tokens on GitHub" >> log.txt

This documentation helps when filing reports and working with support teams.

Financial Protection

If financial information may be compromised, act immediately to prevent monetary loss.

Contact Financial Institutions

Call your bank’s fraud department immediately. Request:

• A freeze on compromised cards
• New account numbers if necessary
• Transaction alerts on all accounts
• A review of recent transactions for unauthorized activity

Credit Bureaus

Place a fraud alert with major credit bureaus:

# Equifax: 1-800-525-6285
# Experian: 1-888-397-3742
# TransUnion: 1-800-680-7289

A fraud alert requires lenders to verify your identity before issuing credit. For stronger protection, consider a credit freeze, which completely blocks new credit inquiries.

Review Recent Transactions

Go through every transaction in your banking and credit card apps for the past 30 days. Report any unrecognized charges, no matter how small—attackers often test with small purchases before larger ones.

Digital Forensics for Developers

If you’re a developer or sysadmin, consider what technical artifacts the attacker may have left behind.

Check for Backdoors

Review your systems for unauthorized access methods:

# Check for new SSH keys added to authorized_keys
cat ~/.ssh/authorized_keys

# Review crontabs for malicious jobs
crontab -l

# Check for new systemd services
systemctl list-units --type=service

# Review shell history for commands you didn't run
history

Audit Git Repositories

If attackers had access to your development environment, they may have modified code:

# Check for unauthorized commits
git log --all --oneline --graph

# Review remote branches
git branch -r

# Check git config for unexpected user settings
git config --list --local

Rotate All Credentials

Assume any credential visible on a compromised machine is burned. Rotate:

• All passwords in your password manager
• API keys and tokens
• SSH keys
• Database credentials
• Encryption keys (if warranted)

Establishing Monitoring

After recovery, set up ongoing monitoring to detect future compromise.

Automated Alerts

Configure alerts for critical account changes:

# Example: Use ifttt or similar to alert on account changes
# Monitor for: password changes, new device logins, OAuth grants

Regular Audits

Schedule periodic security reviews:

# Monthly: Review account access logs
# Quarterly: Audit OAuth permissions
# Annually: Review and rotate API keys

Dark Web Monitoring

Services like HaveIBeenPwned (haveibeenpwned.com) can alert you when your email appears in data breaches. Consider setting up automated checks:

# Check via API (requires API key from haveibeenpwned.com)
curl -H "hibp-api-key: YOUR_API_KEY" \
 "https://haveibeenpwned.com/api/v3/breachedaccount/your@email.com"

Prevention Strategies

Recovering from identity theft teaches valuable lessons about prevention.

Password Manager

Use a password manager to generate unique, complex passwords for every service. This limits blast radius when one service is breached.

Hardware Security Keys

For high-value accounts, consider hardware security keys (YubiKey, Titan). These provide protection against phishing and session hijacking that SMS or authenticator apps cannot match.

Separate Identity Contexts

Isolate your development environment from your personal digital life. Use different email addresses, different password managers if possible, and avoid storing development credentials alongside personal ones.

Regular Security Drills

Periodically test your incident response capability:

# Quarterly: Update recovery phone/email
# Semi-annually: Test account recovery flows
# Annually: Full credential audit

When to Involve Law Enforcement

Certain situations warrant police involvement:

• Significant financial loss
• Evidence of organized crime
• Identity theft affecting others
• Death or medical identity theft

File a report at identitytheft.gov to get an official recovery plan and police report number. This documentation helps when disputing fraudulent charges.

Related Articles

• How to Use GPG Signed Emails to Verify Sender Identity
• How To Create Anonymous Online Identity That Cannot Be Linke
• Create Separate Browser Profiles For Each Online Identity
• How To Purchase Items Online Without Revealing Real Identity
• How To Use Compartmentalized Identity For Online Dating Sepa

Built by theluckystrike — More at zovo.one