Recovering a lost account

Accounts get locked out. Phones get lost, passwords get forgotten, email addresses change after a job switch. Here's how to get back in for each case.

Forgot your password

Go to /auth/forgot-password and enter the email address on your account. You'll get a reset link by email; the link is single-use and expires in a few hours.

If you don't receive the email:

• Check the spam folder.
• Confirm the email you typed matches the one on the account exactly (no typos).
• Wait a few minutes — delivery can be delayed.
• Some corporate mail filters strip password-reset links. Try a different recovery email if your IT routes everything through a quarantine.

After resetting, all existing sessions are invalidated — you'll be signed out everywhere and need to sign in fresh. That's intentional: if someone else triggered the reset, this kicks them out too.

Lost your only passkey

If you registered a passkey and then lost the device it lives on (and you don't have a spare passkey or password sign-in enabled), the recovery path is via your verified email:

1. Go to /auth/login.
2. Click Can't sign in? → Recover via email.
3. Confirm the email address.
4. You'll get a recovery link that lets you set a new password and disable the lost passkey.

For this to work, your email address has to still be reachable. If both your passkey and email are lost, contact support — they can verify your identity through other means (business profile verification documents, recent transaction history) but it's a manual process and takes longer.

Changing your email address

If your work email is changing (job change, company rename), update it before you lose access to the old one:

1. Dashboard → Settings → Account.
2. Update the email field.
3. Confirm the change by clicking the link sent to the new email.

Until you confirm the new address, the old one stays active for sign-in and recovery. Once confirmed, sign-in switches over and recovery links go to the new address.

If the old email is already gone, see the next section.

You no longer have access to the email on file

This is the hardest case. The platform can't just take your word that an account is yours.

Reach out to [email protected] from any email and include:

• Your full name and the name of your business profile.
• The approximate date you created the account.
• Any past transaction IDs you can recall.
• A photo of the same government-issued ID that was used during business verification (if your profile was verified).
• A short explanation of what happened.

Support manually reviews these requests. The process is deliberately slow — if it were fast, it would be exploitable. Expect a few business days.

Active sessions and remote sign-out

You can review and revoke active sessions from Dashboard → Settings → Security → Active sessions:

• Each entry shows the device, browser, IP region and last-active time.
• "Sign out" on any entry kills that session immediately.
• "Sign out everywhere except this device" is a one-click panic button — useful if you suspect compromise.

After signing everyone out, the natural next step is to change your password and re-register passkeys on the devices you actually use.

Compromised account suspicion

If something looks off — a listing you didn't create, a message you didn't send, an unexpected sign-in notification:

1. Sign out all sessions (Settings → Security).
2. Change your password to something you don't use anywhere else.
3. Remove any unfamiliar passkeys in Settings → Security.
4. Check your email forwarding rules — attackers sometimes set up filters to hide platform notifications. Strip anything that doesn't belong.
5. Review your business profile and listings for anything that's been changed.
6. Contact support with a brief timeline of what you saw.

Haubot's notifications team can flag suspicious activity on your account if you ask — login attempts from unusual regions get auto-flagged anyway, but you can request stricter alerting.