Last updated 2026-05-28

I think my account is compromised

Move fast. The faster you act, the less anyone can do under your identity.

Right now (under 60 seconds)

  1. Open /me/sessions (if you can still log in). You'll see every active session, with device + IP hint + last-seen time.
  2. "Revoke all" the sessions you don't recognize. If you're not 100% sure which is yours, revoke everything — you'll be logged out and can log back in fresh.
  3. Change your password at /me/security (or via /forgot-password if you've been kicked out). Use something you've never used elsewhere — 16+ characters, mixed.

Next 5 minutes

  1. Enable 2FA at /me/security if you hadn't already. Pick TOTP (Google Authenticator, Authy, 1Password, Bitwarden). Save the 8 backup codes somewhere offline.
  2. Email your admin (or, if you ARE the admin, the platform owner) — tell them what happened. They can check audit logs for activity under your account.
  3. Tell anyone who got messages from you in the last 24-48 hours that the messages may not have been you.

If you got the "new sign-in detected" email

That email always includes a one-click revoke link for that exact session. Click it — even before doing anything else. You can investigate after.

If you can't log in at all

You're locked out: someone changed your password. Go straight to /forgot-password and recover via email link. If the attacker also changed your email, contact your admin (they can change it back).

If you ARE the platform owner and the attacker reached even your owner-protected account: SSH to the VPS and run scripts/owner_emergency_unlock.py --email <you> --reset-password --reset-2fa --confirm. See account recovery.

What admins should do when a user reports compromise

  • Pull the user's recent activity from /admin/audit (filter on actor_email).
  • Look for unexpected: data exports, employee record edits, project edits, integration token re-bindings, role changes.
  • If anything looks wrong, revoke the user's API tokens (if any) and inform any affected third parties.
  • File the incident in /admin/legal → Incidents so there's a paper trail.

What we've already done for you

  • Every new sign-in from a device we haven't seen for your account triggers a "new sign-in detected" email with a revoke link.
  • Failed logins are rate-limited: 5 wrong passwords within 15 minutes locks the account for 15 minutes.
  • Audit log captures every privileged action with timestamp + actor + IP hash.
  • For the platform-owner account, sign-in requires password + TOTP + an emailed magic link.
  • Inactivity timeout: sessions auto-revoke after 8 hours of no activity.

Related

See something wrong or outdated in this article? Report it →