Account recovery and lockouts

What to do when you cannot log in. Forgotten password, lost 2FA device, suspicious activity locks, and the recovery cooldown.

Last updated 2026-05-10

Lockouts happen. Here's how to get back in, in priority order.

Forgot password

Login → "Forgot password" → enter email. We send a reset link valid for 60 minutes. Open it, set a new password, you're back in.

If you don't get the email:

  • Check spam (especially if your email is at iCloud or older corporate domains)
  • Verify the email is right (typos in the username field on signup are common)
  • Check Settings → Account → Email if you can log in another way and see whether your email is the same as you remember

Lost 2FA device

In order: 1. Use a backup code (Login screen → "Use backup code" → enter) 2. Log in from a device with an existing session. Settings → Security → 2FA → Disable 3. Trigger account recovery (last resort)

Account recovery flow

Login screen → "I lost everything" link. We require:

  • Government ID upload (passport, driver's licence, national ID)
  • Selfie holding the ID (proves liveness)
  • Verification of recent payments on the account (last 4 of card, last 4 of bank account, an order ID from the past 30 days)
  • Email confirmation
  • 24-hour cooldown before the reset takes effect

The cooldown is non-negotiable. It's there because account-takeover attacks rely on speed. If a real attacker is mid-flow, the cooldown gives YOU time to notice and cancel.

Suspicious-activity lock

We auto-lock an account when:

  • 5+ failed login attempts in 5 minutes from different IPs
  • Login from an entirely new country with no prior activity
  • 2FA failed 5 times consecutively
  • Password reset attempted from a known-malicious IP

You'll get an email immediately. Click "This was me" to unlock. Click "This wasn't me" to keep it locked AND change the password (we lead you through this).

Stolen account

If you suspect someone has your account: 1. Change password immediately (Settings → Security → Password) 2. Revoke all sessions (Settings → Security → Active sessions → Revoke all) 3. Rotate API keys (Settings → Developers → API Keys → Rotate) 4. Audit recent payouts and withdrawals (Settings → Payouts → Recent) 5. Contact us. We can audit raw access logs and identify the attack vector

Owner role

Only an Owner can do recovery on a multi-team account. If the only Owner loses access and there's no backup Owner, recovery is harder. You go through the full government-ID flow and we manually verify the business via your payment provider's records.

This is why every account should have at least one Owner-tier backup user (a co-founder, a trusted ops lead). Settings → Employees → set role = Owner.

Related guides

Still need help?

Real humans, real answers. We respond fast and we never use chatbots as the front line.

Email Support