Incident Response Notes

Stabilize the account or device before chasing every clue.

If the issue involves a suspicious login, unexpected recovery message, unknown extension, or strange browser behavior, begin by protecting access and preserving the environment. Avoid switching randomly between dozens of accounts before you know which ones are most exposed.

• Change credentials for the most critical affected account first.
• Review active sessions and sign out where appropriate.
• Remove or disable unknown browser extensions.
• Check recovery settings for unauthorized changes.

Protect identity anchors before convenience accounts.

Start with the email account that resets other accounts, the password manager that stores your credentials, and any work or billing account with elevated access. Those anchors matter more than lower-risk consumer accounts in the early stage of a response.

Capture a short timeline while details are still fresh.

Note what happened, when you noticed it, what browser or device was in use, and what changes you already made. Even a brief internal record is useful if you need to review patterns later or coordinate with a team.

After immediate response, fix the weak point that allowed the scare.

A response is incomplete if you only reset a password and move on. Review the broader cause: stale recovery paths, weak device hygiene, random browser extensions, sloppy shared logins, or poor separation between admin work and casual browsing.