Fix
Cursor Account Compromised? Do These 5 Things Now
If your Cursor account looks compromised: secure the login provider first (change that password, enable two-factor), then revoke every active session at cursor.com/dashboard → My Settings, rotate any API keys stored in Cursor, audit billing and team membership for changes you didn't make, and email security@cursor.com with dates and screenshots.
On this page
How do I know my Cursor account is compromised?
Cursor's security guidance lists four signals. Any one of them justifies running the full recovery sequence below — they cost minutes and are safe to do on suspicion.
- Unexpected usage or charges on your billing page.
- Login notifications you don't recognize.
- Settings or preferences you didn't change.
- Team invitations you didn't send.
A hijacked Cursor account is usually monetized by burning your model usage, not by reading your code. Sudden on-demand charges or a drained usage allowance is the most common first symptom — which is why the billing page is both a detection surface and part of the audit below.
This is covered hands-on in Troubleshooting and Operating Cursor Reliably — 7 short modules, free to read.
What are the first five things to do?
- 1Secure the login method itself. Cursor sign-in rides on Google, GitHub or an email magic link — the compromise is usually upstream. Change the password on that provider immediately and enable two-factor authentication. For magic-link accounts, that means the email account's password and 2FA.
- 2Revoke every session. Go to cursor.com/dashboard → My Settings → Active Sessions, and click Revoke next to each session. This severs any device the attacker still holds.
- 3Rotate exposed API keys. If you stored provider keys in Cursor (OpenAI, Anthropic), revoke them on the provider's dashboard, generate new ones, and only then re-add them to Cursor settings.
- 4Audit billing and team state. At cursor.com/dashboard/billing, check invoices and usage for anomalies; review team membership for members or invitations you didn't create.
- 5Escalate to security@cursor.com if you see unauthorized charges, lost account access, unfamiliar team members or suspect key exposure. Include dates, the charges and screenshots — it shortcuts triage.
Revoking sessions before securing the login provider just invites the attacker to sign back in. Provider first, sessions second — the sequence above is Cursor's, and it is the right one.
What if my account uses company SSO?
SSOSingle Sign-On. One company login (usually via SAML or OIDC) instead of a separate password per tool. Press Enter for the full definition.-managed accounts can't self-serve the recovery: session control lives in your identity provider. Cursor's guidance is to contact your IT administrator to revoke sessions in the IdP, review suspicious logins there, and reset corporate credentials if needed. Loop in whoever owns the Cursor team plan too — they can see team-level activity you can't.
How do I prevent the next one?
Every control below maps to how hijacked accounts actually get used — burned usage, spent API keys, quiet team invites. Four habits close those doors.
- Control
- Two-factor on the identity provider
- Why it works
- Cursor inherits the provider's login security — 2FA there protects Cursor too
- Control
- Don't paste API keys into shared configs
- Why it works
- Exposed provider keys are spent within hours; keep them in Cursor's settings or a secret manager, never in committed files
- Control
- Periodic session review
- Why it works
- Active Sessions is worth a glance after using shared or public machines
- Control
- Spend limits and usage alerts
- Why it works
- A monthly cap turns a hijack from an open-ended bill into a bounded one
| Control | Why it works |
|---|---|
| Two-factor on the identity provider | Cursor inherits the provider's login security — 2FA there protects Cursor too |
| Don't paste API keys into shared configs | Exposed provider keys are spent within hours; keep them in Cursor's settings or a secret manager, never in committed files |
| Periodic session review | Active Sessions is worth a glance after using shared or public machines |
| Spend limits and usage alerts | A monthly cap turns a hijack from an open-ended bill into a bounded one |
Prevention maps one-to-one to how compromised accounts actually get used.
Frequently asked questions
Can I reset my Cursor password directly?
Cursor sign-in goes through Google, GitHub or an email magic link, so there is no separate Cursor password to reset. Securing the account means securing that provider: change its password and enable two-factor authentication there, then revoke Cursor sessions.
How do I log out all devices from my Cursor account?
cursor.com/dashboard → My Settings → Active Sessions, then Revoke next to each session. Do this after securing the login provider so the attacker can't simply sign in again.
Who do I contact about unauthorized Cursor charges?
Email security@cursor.com with the relevant dates, the charges and screenshots. Audit cursor.com/dashboard/billing first so the report includes the specific invoices and usage anomalies.
My API keys were in Cursor — are they compromised too?
Treat them as exposed: revoke the keys on the provider's dashboard (OpenAI, Anthropic), generate replacements, and re-add the new ones in Cursor settings. Provider keys are the most immediately monetizable thing in a hijacked account.
Sources & last verified
Cursor ships frequently. Facts verified against primary sources on July 16, 2026.