Secure your email account immediately (this is the master key to resetting all other services), revoke all active sessions, change passwords for all critical accounts (banking, email, social media), and enable two-factor authentication. File a fraud report with the FTC (identity theft.gov) and place fraud alerts with credit bureaus (Equifax, Experian, TransUnion). Monitor credit reports monthly for unauthorized accounts, set up breach monitoring services like Have I Been Pwned alerts, and consider a credit freeze to prevent new accounts opened in your name. For developers: audit all API tokens and SSH keys with access to repositories or infrastructure, assume any stored credentials are compromised, and rotate them across all services.
Prerequisites
Before you begin, make sure you have the following ready:
- A computer running macOS, Linux, or Windows
- Terminal or command-line access
- Administrator or sudo privileges (for system-level changes)
- A stable internet connection for downloading tools
Step 1 - Immediate Actions: The First Hour
When you suspect identity theft, the first priority is limiting the attacker’s access. Assume that any compromised credentials are actively being used against you.
Lock Down Compromised Accounts
Start with your email account, this is often the key to resetting every other service. If attackers control your email, they can request password resets for everything else.
For Gmail users, review recent account activity:
Check recent account access (navigate to myaccount.google.com)
Use Google's Security Checkup to see all active sessions
Revoke all unrecognized sessions immediately
If you still have access, change your password immediately and enable two-factor authentication (2FA). If you’ve been locked out, use account recovery options and prepare documentation for each service’s support team.
Revoke OAuth Tokens and API Keys
For developer accounts, attackers may have created or stolen OAuth tokens or API keys. Check your GitHub, AWS, Google Cloud, and similar services for unauthorized applications:
GitHub - Review and revoke OAuth authorizations
Navigate to Settings > Applications > Authorized OAuth Apps
Review each application and revoke suspicious ones
AWS - Check for unauthorized IAM users or access keys
aws iam list-users
aws iam list-access-keys
Sign Out Everywhere
Force-sign out of all sessions on compromised accounts. Most major services offer this option in security settings.
Step 2 - Account Recovery Process
After securing immediate access, systematically work through each affected account.
Priority Order for Recovery
- Email accounts (primary and secondary)
- Financial accounts (banking, credit cards, payment processors)
- Password managers and identity providers
- Social media accounts
- Developer accounts (GitHub, AWS, cloud providers)
- Other services
Document Everything
Create a secure log of the incident:
Create an incident tracking document
mkdir -p ~/security-incidents/$(date +%Y-%m-%d)-identity-theft
cd ~/security-incidents/$(date +%Y-%m-%d)-identity-theft
Log each action taken
echo "2026-03-16 10:30: Changed Gmail password" >> log.txt
echo "2026-03-16 10:45: Revoked OAuth tokens on GitHub" >> log.txt
This documentation helps when filing reports and working with support teams.
Step 3 - Financial Protection
If financial information may be compromised, act immediately to prevent monetary loss.
Contact Financial Institutions
Call your bank’s fraud department immediately. Request:
- A freeze on compromised cards
- New account numbers if necessary
- Transaction alerts on all accounts
- A review of recent transactions for unauthorized activity
Credit Bureaus
Place a fraud alert with major credit bureaus:
Equifax - 1-800-525-6285
Experian - 1-888-397-3742
TransUnion - 1-800-680-7289
A fraud alert requires lenders to verify your identity before issuing credit. For stronger protection, consider a credit freeze, which completely blocks new credit inquiries.
Review Recent Transactions
Go through every transaction in your banking and credit card apps for the past 30 days. Report any unrecognized charges, no matter how small, attackers often test with small purchases before larger ones.
Step 4 - Digital Forensics for Developers
If you’re a developer or sysadmin, consider what technical artifacts the attacker may have left behind.
Check for Backdoors
Review your systems for unauthorized access methods:
Check for new SSH keys added to authorized_keys
cat ~/.ssh/authorized_keys
Review crontabs for malicious jobs
crontab -l
Check for new systemd services
systemctl list-units --type=service
Review shell history for commands you didn't run
history
Audit Git Repositories
If attackers had access to your development environment, they may have modified code:
Check for unauthorized commits
git log --all --oneline --graph
Review remote branches
git branch -r
Check git config for unexpected user settings
git config --list --local
Rotate All Credentials
Assume any credential visible on a compromised machine is burned. Rotate:
- All passwords in your password manager
- API keys and tokens
- SSH keys
- Database credentials
- Encryption keys (if warranted)
Step 5 - Establishing Monitoring
After recovery, set up ongoing monitoring to detect future compromise.
Automated Alerts
Configure alerts for critical account changes:
Use ifttt or similar to alert on account changes
Monitor for - password changes, new device logins, OAuth grants
Regular Audits
Schedule periodic security reviews:
Monthly - Review account access logs
Quarterly - Audit OAuth permissions
Annually - Review and rotate API keys
Dark Web Monitoring
Services like HaveIBeenPwned (haveibeenpwned.com) can alert you when your email appears in data breaches. Consider setting up automated checks:
Check via API (requires API key from haveibeenpwned.com)
curl -H "hibp-api-key: YOUR_API_KEY" \
"https://haveibeenpwned.com/api/v3/breachedaccount/your@email.com"
Step 6 - Prevention Strategies
Recovering from identity theft teaches valuable lessons about prevention.
Password Manager
Use a password manager to generate unique, complex passwords for every service. This limits blast radius when one service is breached.
Hardware Security Keys
For high-value accounts, consider hardware security keys (YubiKey, Titan). These provide protection against phishing and session hijacking that SMS or authenticator apps cannot match.
Separate Identity Contexts
Isolate your development environment from your personal digital life. Use different email addresses, different password managers if possible, and avoid storing development credentials alongside personal ones.
Regular Security Drills
Periodically test your incident response capability:
Quarterly - Update recovery phone/email
Semi-annually - Test account recovery flows
Annually - Full credential audit
When to Involve Law Enforcement
Certain situations warrant police involvement:
- Significant financial loss
- Evidence of organized crime
- Identity theft affecting others
- Death or medical identity theft
File a report at identitytheft.gov to get an official recovery plan and police report number. This documentation helps when disputing fraudulent charges.
Troubleshooting
Configuration changes not taking effect
Restart the relevant service or application after making changes. Some settings require a full system reboot. Verify the configuration file path is correct and the syntax is valid.
Permission denied errors
Run the command with sudo for system-level operations, or check that your user account has the necessary permissions. On macOS, you may need to grant terminal access in System Settings > Privacy & Security.
Connection or network-related failures
Check your internet connection and firewall settings. If using a VPN, try disconnecting temporarily to isolate the issue. Verify that the target server or service is accessible from your network.
Frequently Asked Questions
How long does it take to complete this setup?
For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.
What are the most common mistakes to avoid?
The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.
Do I need prior experience to follow this guide?
Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.
Can I adapt this for a different tech stack?
Yes, the underlying concepts transfer to other stacks, though the specific implementation details will differ. Look for equivalent libraries and patterns in your target stack. The architecture and workflow design remain similar even when the syntax changes.
Where can I get help if I run into issues?
Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.
Related Articles
- How To Purchase Items Online Without Revealing Real Identity
- Identity Compartmentalization Strategy Separating Real Name
- How To Document All Online Accounts For Executor Of Estate
- How To Protect Credit Card From Being Skimmed Online
- How To Audit Your Digital Footprint And Find All Accounts
- AI Coding Assistant Session Data Lifecycle Built by theluckystrike. More at zovo.one