An unfamiliar recovery email or phone number is like finding a spare key to your house that you didn’t make. It might be harmless (old info you forgot), or it might be a sign someone’s trying to keep a back door into your account.
This guide shows how to remove recovery email and phone entries you don’t recognize on Google, Apple, and Microsoft accounts, what to do if you can’t delete them, and how to lock things down after.
Menus can vary a bit by device, region, and app version, but the Security and Sign-In areas are the right place to look.
Warning signs you should act on right now
If you notice any of these, treat it as urgent, not “I’ll fix it later”:
- Password reset emails or texts you didn’t request
- A new recovery email/phone added without your approval
- Sign-in alerts from places you don’t recognize
- Friends or customers saying your account sent strange messages
- Your account suddenly asks for new verification you never set up
Before you start changing recovery info, take two safety steps. First, use a device you trust (your main phone or computer). Second, type the site address yourself or use bookmarks, don’t follow links from emails or texts.
A quick “stop the bleeding” checklist:
- Change your password immediately (unique, long, and not reused anywhere).
- Sign out of other sessions in your account’s security page.
- Remove unknown recovery options (email, phone, devices).
- Check for mail forwarding and filters that could hide alerts.
- Don’t share verification codes with anyone, even if they sound official.
Once your password is updated, move on to cleaning the recovery details.
Google Account (Gmail, YouTube): find and remove unknown recovery info
Google stores recovery options in your Google Account Security settings. If someone adds their email or phone as recovery info, they can often reset your password later, even if you changed it.
Remove or replace a recovery email on Google
On a computer, go to myaccount.google.com, sign in, then open Security. Look for How you sign in to Google or Recovery options. Open Recovery email, review what’s listed, and remove anything you don’t recognize. If Google requires a confirmation step, complete it right away.
Google’s official overview of where recovery options live is here: Google recovery options settings.
If you’re trying to remove recovery email but Google won’t let you leave the account with no recovery methods, add a trusted option first (your own phone number, or a backup email you control), then delete the unknown one.
Remove or replace a recovery phone number on Google
In the same Security area, open Recovery phone (or Phone depending on your layout). Remove unknown numbers, then add your current number and verify it with a code.
If you want Google’s official notes on how phone numbers are used and changed, see change the phone number on your Google Account.
If the attacker changed recovery info and you can’t remove it
If you can still sign in, change the password first, then remove the bad recovery entries. If you can’t sign in, use Google’s account recovery flow at accounts.google.com/signin/recovery (type it in). Expect prompts that test account history, devices, and prior passwords. Once you regain access, return to Security and remove anything unfamiliar.
Before leaving Google, check for “silent back doors” in Gmail: look for Forwarding addresses and suspicious Filters that auto-archive security alerts. Also review Third-party apps with account access and remove anything you don’t use.
Apple Account (Apple ID): trusted phone numbers and account emails
Apple calls it an Apple Account now (many people still say Apple ID). Either way, your trusted phone numbers and account email addresses control password resets and sign-in approvals.
Where to look on iPhone, iPad, and Mac
On iPhone or iPad: Settings > your name > Sign-In & Security.
On Mac: System Settings > your name > Sign-In & Security.
You’ll typically see Email & Phone Numbers and Trusted Phone Numbers. Remove anything you don’t recognize, then add your own number if needed and complete Apple’s verification prompts.
Apple explains the different email addresses tied to your account (primary and additional) here: Apple Account email addresses explained.
If you can’t remove an unknown number or email
Apple often requires you to be on a trusted device and signed in with two-factor authentication to make sensitive changes. If you’re locked out, start Apple’s recovery at iforgot.apple.com (type it in and follow prompts). Recovery can take time, so don’t wait if something looks wrong.
After cleanup, review the Devices list in your Apple Account settings and remove any device you don’t own. If you use iCloud Mail, also check for mail rules or forwarding in iCloud Mail settings on the web, since attackers like to redirect copies of password reset emails.
Microsoft account (Outlook, OneDrive, Xbox): security info, aliases, and verification methods
For Microsoft accounts, the key area is your Security info (ways you verify sign-ins and reset passwords). Attackers often add a new email or phone there, then rely on it later.
Remove unknown verification methods
Sign in to account.microsoft.com, then open Security and find Advanced security options (wording varies). Under sign-in verification methods, remove any email, phone, or app you don’t recognize.
Microsoft’s official steps are here: remove a sign-in method.
Add your own verification method first if Microsoft won’t let you delete the last one. As a rule, keep at least two options that you control.
If you’re locked out or the attacker took over recovery info
Use Microsoft’s account recovery process and provide as much accurate detail as you can (recent subjects you emailed, old passwords, billing info if you have it). The official guidance is here: Microsoft account recovery form help.
Once you’re back in, check Outlook settings for forwarding rules and inbox rules that hide security alerts. Also review any connected apps and remove what you don’t use.
After cleanup: lock the door so it stays shut
Removing unknown recovery details is step one. The safer finish is to make sign-ins harder to steal next week.
- Turn on stronger sign-in: use passkeys where offered, or app-based prompts (Google Authenticator or passkeys for Google, Apple two-factor on trusted devices, Microsoft Authenticator with passwordless sign-in where available).
- Sign out everywhere: revoke old sessions so a stolen login cookie stops working.
- Review connected apps: remove third-party access you don’t need.
- Revoke app passwords (if you ever created them): attackers love these because they can bypass normal prompts.
- Audit mail forwarding and aliases: Gmail forwarding and filters, iCloud Mail rules, Outlook forwarding and inbox rules.
Quick troubleshooting (common roadblocks)
You can’t delete the last recovery method: add your own new email or number first, verify it, then remove the unknown one.
Verification codes aren’t arriving: confirm the number is correct, check spam folders, wait a few minutes, and try a different method (app prompt or backup email). Avoid repeated rapid requests.
Work or school accounts: if it’s managed by an employer or school, you may not be able to change recovery info yourself. Contact your admin or IT team.
Conclusion
Unknown recovery emails and phone numbers aren’t just clutter, they’re often a quiet way for someone to come back later. Clean up recovery options on Google, Apple, and Microsoft, then back it up with stronger sign-in, fewer connected apps, and no sneaky mail forwarding. A good rule: if you wouldn’t hand a stranger your spare key, don’t leave them a recovery method either, keep your account recovery options tight and up to date.
