On This Page
Account Recovery and Threat Mitigation
A comprehensive guide on detecting account compromise, executing immediate recovery steps, and mitigating high-risk threats like SIM swapping and state-sponsored surveillance in the Iranian context.
Account Recovery and Threat Mitigation
Account compromise often carries higher stakes than financial loss. For activists, journalists, and regular citizens, a breached account can lead to interrogation, exposure of social circles, and legal persecution. The adversary is often not a random criminal, but state-sponsored actors with direct access to telecommunications infrastructure.
This guide outlines how to detect a compromise, immediate steps to recover control, and strategies to mitigate specific threats like SIM swapping and targeted surveillance.
1. Detecting Compromise
It is rarely possible to know for certain how an account was breached, but the signs of when it happens are often visible. Be vigilant for the following indicators:
- Unexpected 2FA Codes: Receiving SMS verification codes (OTPs) that you did not request. This is a common sign that state actors are attempting to log into your Telegram, Instagram, or Google account.
- Active Session Anomalies: Seeing unrecognized devices, IP addresses, or locations in your "Active Sessions" or "Linked Devices" list.
- Note: In Iran, due to VPN usage, your own IP location may appear as Germany, Netherlands, etc. Look for devices (e.g., a Samsung phone logging in when you use an iPhone) or login times that do not match your activity.
- Service Notifications: Alerts about password changes, recovery email modifications, or disabled 2FA that you did not initiate.
- Content Changes: Deleted posts, new messages sent to contacts, or changes to privacy settings.
- Sudden Loss of Signal: Your phone losing network service completely while others around you have signal (a primary sign of a SIM swap attack).
2. Immediate Incident Response (The "Fire" Phase)
If you suspect unauthorized access, act immediately. Do not wait to confirm.
Step 1: Secure Your Access
If you can still log in, change your password immediately. Use a unique, high-entropy password generated by a password manager.
Step 2: Terminate Sessions
Most services used in Iran (Telegram, Instagram, Google, WhatsApp) allow you to view and revoke active sessions.
- Action: Log out of all other sessions immediately. This kicks the attacker off, forcing them to re-authenticate (which they cannot do without the new password).
Step 3: Check Recovery Information
Attackers often add their own email addresses or phone numbers to maintain access even after you change your password.
- Action: Verify that the recovery email and phone number belong to you. Delete any unrecognized entry immediately.
Step 4: Revoke Third-Party Access
Check for "Connected Apps" or "OAuth" permissions (e.g., "Sign in with Google"). Attackers may use malicious third-party apps to maintain access without needing your password.
3. Account Recovery Strategy
If you have been locked out (password changed by the attacker):
- Use Recovery Codes: This is your best defense. If you previously saved static backup codes (8-10 digit codes), use them to bypass 2FA or password resets.
- Trusted Contacts: Some platforms (like Facebook) allow recovery via trusted friends.
- Platform Support: Initiate the official account recovery process.
- Warning: Be cautious when providing ID documents to platforms if you are working anonymously. Ensure the request is coming from the official domain (e.g.,
google.com) and not a phishing email.
- Warning: Be cautious when providing ID documents to platforms if you are working anonymously. Ensure the request is coming from the official domain (e.g.,
[!important] The "Interrogation" Threat Model In Iran, a common compromise vector is physical seizure of the device during detention. If you are coerced into unlocking your device or handing over passwords, "recovery" becomes harder. In high-risk scenarios, prioritize deleting sensitive data or factory resetting the device over trying to save the account.
4. Mitigating SIM Swapping and SMS Interception
In many countries, "SIM Swapping" involves a hacker tricking a telecom provider. In Iran, the threat is more severe: Telecommunication providers (MCI, Irancell, RighTel) are legally required to cooperate with security services.
This means the state can intercept SMS verification codes (SS7 attacks) or issue a duplicate SIM card for your number without social engineering.
Why SMS 2FA is Dangerous in Iran
- Interception: SMS travels in plaintext. Infrastructure providers can read the code before it reaches you.
- Cloning: If your SIM is cloned, the attacker receives your calls and SMS codes on their device.
Defense Strategies
- Disable SMS 2FA: Wherever possible, remove your phone number as a method for Two-Factor Authentication.
- Use App-Based Authentication (TOTP): Switch to apps like Ente Auth, Aegis (Android), or Raivo/Strongbox (iOS). These generate codes locally on your device and cannot be intercepted via the mobile network.
- Use Hardware Keys: The strongest protection is a physical security key (YubiKey, Nitrokey). This prevents remote attacks entirely.
- Google Voice / Virtual Numbers: If a service requires a phone number, try using a VoIP number (like Google Voice) secured by a Google account with a hardware key. Avoid using your real Iranian mobile number for sensitive accounts (Telegram, Signal, Twitter).
5. Advanced Protection for High-Risk Users
For journalists, human rights defenders, and political activists, standard security settings are often insufficient. Tech giants offer "Lockdown" modes designed specifically for targeted individuals.
Google Advanced Protection Program (APP)
Google APP is the strongest security setting available for Google accounts.
- What it does: Enforces the use of security keys (or passkeys), blocks most non-Google apps from accessing your data, and performs strict scanning of downloads.
- Recovery: It makes account recovery much harder (to prevent social engineering). You must have your backup codes.
- Relevance: Highly recommended for Iranian activists to prevent state-sponsored phishing and account takeovers.
Apple Lockdown Mode
Available on iOS 16+, Lockdown Mode reduces the attack surface of the iPhone.
- What it does: Blocks message attachments, disables link previews, blocks incoming FaceTime from strangers, and restricts complex web technologies (JIT) that are often used in "Zero-Click" spyware attacks (like Pegasus).
- Recommendation: Enable this if you believe you are a target of state surveillance. It impacts usability slightly but significantly raises the cost of hacking your device.
6. Post-Compromise Hardening
Once you have recovered your account, ensure it cannot be breached again easily.
| Action | Description |
|---|---|
| Rotate Credentials | Change passwords for all accounts that shared the compromised password or email. |
| Refresh Backup Codes | Generate a new set of backup codes. The old ones may have been viewed by the attacker. |
| Check Forwarding | Ensure email forwarding rules were not set up to send copies of your emails to the attacker. |
| Review Filters | Attackers often set email filters to archive/delete security warnings so you don't see them. Check your trash and filter settings. |
| Device Scan | If the breach originated from a device (malware), factory reset the device. Antivirus is often insufficient against sophisticated spyware. |
7. Emergency Resources
- Access Now Helpline: A 24/7 digital security helpline for civil society, activists, and journalists. Available in multiple languages.
- Digital First Aid Kit: A diagnostic tool to help you determine what is happening to your account or device.
Related Topics: [[Strong-Password-Fundamentals]], [[Multi-Factor-Authentication-Strategies]], [[Secure-Password-Storage-and-Managers]]
Was this article helpful?
Your feedback helps us improve our wiki content.