Sarah's advice to others
Do not reuse passwords, and (if possible) do not use your email for two-step verification. Phone numbers and verification apps are invaluable when it comes to protecting your online information. Hackers may be able to compromise an email address, but they can't reach into your pocket for that phone.
Age 30, Japan, teacher
About five years ago, my primary email was hacked. I had the same password on a few accounts and used that address for two-step verification on others. This resulted in even greater unauthorized access.
I was very, very fortunate that the hacker was: a) unable to change my primary email's password without access to my phone, b) decided to send spam to my contacts list, and c) had such a different purchasing pattern than myself. Several family members and friends alerted me about the spam, and I received a call from the card company.
In the end, the full list of compromised accounts consisted of ten online stores and services, and a secondary email.
The first thing the hacker seems to have done was to change the personal information on my accounts. Name, address, and where possible, the security information. Second, they began spamming my mailing list and making purchases using my credit information.
I was absolutely panicked. I was in the staff room at the time and quickly tried logging in to my email. I was relieved to find out that the password was unchanged, but that lasted only until I checked the 'sent' messages. As I still had access, I locked it down.
From there, it was a matter of putting out fires and contacting my card company with a full list of attempted purchases. The company had only permitted five purchases before flagging them as suspicious, so that (thank god) was easily resolved. They assured me that nothing would go through and that the five would also be canceled.
Determining which of my other accounts were compromised and recovering them was more difficult. In the end, it took me the better part of a week to regain access to as many accounts as possible. One account was, unfortunately, impossible to recover.