What to do if someone has had their email account hacked or stolen

[EmilyTapestrySupport]

If you're confident when it comes to using Tapestry, and the issue only seems to be affecting one user, you can follow all the steps in this tutorial to rectify it. If, however, you would like some assistance or you believe this issue is affecting several users (which might be the case if it's a staff email account that has been hacked or stolen) please do get in touch with us and we can deactivate the whole account to investigate. 

You can do this by either using the 'Contact us' page in the drop-down list from your name, or send an email to customer.service@eyfs.info. If you do send us an email though please make sure you message us from the email address you or another manager uses to sign into Tapestry - that way we will be able to help you a lot more quickly and efficiently because we will know we're speaking to the right person.
 

 

When you do contact us please use the 'in brief' text box or subject line to make it clear this is an issue about security. We do keep an eye out for those ones, so for example you could say 'Account Breach' or 'Email address hacked'. Also, within the body of the text please try to give us as much detail you can about who is affected and in what way.
 

In either scenario though, we do strongly recommend that you follow the first step in this tutorial, which is to deactivate the user/s accounts from within Tapestry. This is to ensure as quickly as possible that no one has access to any Tapestry accounts that shouldn't.

 

Deactivating their account 

To deactivate a user's account you will need to be a manager and you will need to login to the browser version of Tapestry. Once logged in you will need to go to the Control Panel, which you can find by clicking on your name in the top right-hand corner (1) and selecting 'Control Panel' from the drop-down menu (2). You will then need to select either 'Manage Staff' or 'Manage Relatives' (3), depending on the type of user account that has been affected.

 

 

 

Once on the appropriate page you just need to find this user in the list of names and then click on the cog button at the end of the row (1) and select 'Make inactive' (2). 

 

 

 

After deactivating the account/s, if you are confident this issue is only affecting one user, you can move on to checking the events on your Tapestry to see whether you think someone accessed the user's account that shouldn't have. If it is the case that several user's emails have been hacked, please now get in touch with us as soon as possible; you can find instructions on how to do this at the top of the tutorial. 

To search the events on your Tapestry to check what has been accessed and done by this user, you just need to go to the 'History' section (1) on the Control Panel. To only see events made by this specific user you will need to use the page filters located at the top of the page (2).

 

 

From the page filters pop-up you will need to search for the user's name. Remember to press 'Submit' when you have typed it in.

 

 

 

Here you will be able to see everything this user has done on your Tapestry; it's worth going through this list with the affected user to ensure they are confident they were the person that did all of these things. This will help you to establish exactly what happened and will help you if you need to inform the ICO and any data subjects (or their relatives) who might have been affected.

If you are happy though that no one else has logged in to the account you can move on to thinking about the security of the email account.

If the user can still access their email then they will need to reset their password for it, this should be strong and secure. To assist with this we have a written an article about how to set a secure password which you can read here and you can also read the UK government's current advice about secure passwords on their website. If they are no longer able to access their email then they will need to set themselves up with a new email account. Once have they done this it is very important that you change this for their Tapestry account before reactivating them.

Now we can think about helping them log back in to their Tapestry account.

 

How to reactivate the user's Tapestry account

Firstly, you will need to find their account again. To do this you will need to go back to the Manage Relatives or Manage Staff page on the Control Panel and then look for their name in the list. If you do not see it in the list, this may be because you have your filters on this page set so you can only see a certain type of users, for example just active users. To change this so you can only see inactive users you just need to click where it says 'Inactive' at the top of the page. 

 

 

 

 

Then once you have found them, click on the 'Edit' button at the end of the row. 

 

 

 

Here you can enter a new email address for them if necessary (1) and then you can change their status back to active from the 'Change Status' drop-down (2) and you will also need to manually change their password (3). For security reasons, it is important that you do change their password but do not tell them this new password. Once they have been reactivated, you will be able to send them a password reset email from which they can set up their own new password and regain access to their Tapestry account. 

 

 

Once you have done both of these things on this page just remember to press submit.

If you have used the page filters to find this inactive parent you might want to clear them so you are no longer just seeing inactive users. You can do this by clicking where it says 'All' at the top of the page.

 

 

 

Finally, so they can login to their account again, you can send them a password reset email so they can set up their own password; we strongly advise that they do not change this back to what it was before, or use the same password for their email account.

Only reactivate them and send this when you are 100% sure that they have regained access to their email account and that no one other than them has access to it. 

To do this you just need to stay on the Manage Relatives or Manage Staff page and click on that cog button at the end row of their name (1). From there select 'Reset Password' (2) and on the next page you just need to press the 'Send Email' button.

 

 

If there is anything in this tutorial you are unsure of, or you have any concerns about the security of the account, please do not hesitate to contact us at customer.service@eyfs.info. 

 

Go Back to Main Tutorials Page