Playbook 3

Principal & family-member account takeover

A principal's personal email, iCloud/Google account, or social login is taken over — often via SIM-swap or reused credentials — giving the attacker password resets, private photos, and a launchpad into the office.

The hard truth

The principal's personal accounts are the softest target with the highest blast radius — and no IT team is watching them.

The first hour

  1. 1

    Regain control: use account-recovery on a trusted device and revoke every active session.

  2. 2

    Reset the password and rotate any linked recovery email and phone number.

  3. 3

    Call the mobile carrier to lock the number against SIM-swap and confirm no port-out is pending.

  4. 4

    Turn on the strongest available MFA — prefer a hardware key or passkey over SMS.

  5. 5

    Review connected apps and forwarding rules; revoke anything unfamiliar.

  6. 6

    Warn the finance team that instructions from this account may be spoofed.

Stop the next one

  • Passkeys or hardware keys on the principal's email, cloud, and financial logins.
  • A carrier-level port-out lock and account PIN on every family mobile line.
  • A password manager for the household, ending credential reuse.
  • Separate recovery contacts that are not the account being protected.

Questions we hear