Getting a “new device signed in” alert can be either harmless (you, a new phone) or urgent (someone else). The good news: you can usually contain it in a few minutes if you focus on the right checks.

Padlock and warning symbol indicating suspicious login alert

Move quickly, but don’t panic-click random links in the notification.

Before you start: open the app or website by typing the address yourself (or using your saved bookmark), not by tapping the alert.

1. Confirm the alert is real (not a phishing message)

Look at where the alert came from: email sender domain, in-app notification center, or your account’s security page.

  • Don’t trust the button in the email/SMS. Instead, sign in by going directly to the service.
  • Check for mismatches like odd spelling, generic greetings, or a link that doesn’t match the official domain.
  • If it’s an email, expand details and confirm the “mailed-by”/domain is correct.

If you can’t verify it’s legitimate, treat it as suspicious and continue with the next steps anyway.

2. Check recent sign-ins: time, location, device, and IP

Most services have a “Recent activity,” “Devices,” or “Security” page listing sign-ins.

Shield and location pin representing recent sign-in activity review

  • Match the timestamp to what you were doing at that time.
  • Location isn’t perfect (VPNs, mobile networks, and ISPs can show nearby cities), but a far-away country is a red flag.
  • Device clues like “Windows Chrome” or “iPhone Safari” help you recognize your own logins.

If you see a login you don’t recognize, assume your password (or a session) may be compromised.

3. Sign out of other sessions (and remove unknown devices)

This is often the fastest containment step because it invalidates active sessions.

  • Use “Sign out of all devices” if available.
  • Remove unknown devices from the device list.
  • Revoke connected apps you don’t recognize (third-party access can keep working even after a password change).

If the service offers “log out other sessions but keep this one,” do that from a device you trust.

4. Change your password (and don’t reuse an old one)

Change the password from the official app/site while you’re signed in on a trusted device. If you can’t sign in safely, use the official “Forgot password” flow.

  • Use a unique password (never reused on any other site).
  • Long beats complex: a password manager-generated one is ideal.
  • After changing it, check again for new sign-ins showing up.

One quick gut-check: if you’ve reused this password anywhere else, change those too.

5. Turn on stronger verification (2FA) and update recovery options

Two-factor authentication makes stolen passwords far less useful.

Key and verification ring symbolizing two-factor authentication

  • Prefer an authenticator app or security key if the service supports it.
  • Avoid SMS-only if you can; it’s better than nothing, but it’s not the strongest option.
  • Update recovery email/phone so you don’t get locked out later.
  • Save backup codes somewhere safe (not in your email inbox).

If you already had 2FA on and still got a real unauthorized login, that’s a sign to review recovery methods and connected apps.

6. Check your email account security (it’s the master key)

If someone gets into your email, they can usually reset passwords elsewhere.

  • Review your email’s recent logins and devices.
  • Change your email password and enable 2FA there too.
  • Look for forwarding rules you didn’t create (attackers sometimes auto-forward password resets).
  • Check “trusted devices” and remove anything unfamiliar.

If the suspicious alert was for your email itself, prioritize securing that first.

Final thoughts

The fastest safe path is: verify the alert, review recent activity, sign out sessions, then change passwords and enable 2FA.

After you’ve contained it, keep an eye on sign-in history for a day or two—repeat logins usually mean there’s still an active session or a recovery method you need to fix.