Playbook 3
Principal & family-member account takeover
A principal's personal email, iCloud/Google account, or social login is taken over — often via SIM-swap or reused credentials — giving the attacker password resets, private photos, and a launchpad into the office.
The principal's personal accounts are the softest target with the highest blast radius — and no IT team is watching them.
The first hour
- 1
Regain control: use account-recovery on a trusted device and revoke every active session.
- 2
Reset the password and rotate any linked recovery email and phone number.
- 3
Call the mobile carrier to lock the number against SIM-swap and confirm no port-out is pending.
- 4
Turn on the strongest available MFA — prefer a hardware key or passkey over SMS.
- 5
Review connected apps and forwarding rules; revoke anything unfamiliar.
- 6
Warn the finance team that instructions from this account may be spoofed.
Stop the next one
- Passkeys or hardware keys on the principal's email, cloud, and financial logins.
- A carrier-level port-out lock and account PIN on every family mobile line.
- A password manager for the household, ending credential reuse.
- Separate recovery contacts that are not the account being protected.