The moment your purchase is confirmed, do these things in order: change the email address to one you own, set a new strong password, enable authenticator-based two-factor authentication, remove the seller's phone number and deauthorize their devices, then save your proof of purchase somewhere safe. Each step closes a specific recovery path the previous owner could use — skip one and the account is never fully yours.
Buying a game account from a vetted marketplace is straightforward, but the transfer of security is on you. The seller hands over credentials; you have to convert those credentials into a locked-down account that only you control. This checklist walks through every step, in the right order, for Riot (Valorant and League of Legends), Steam (CS2), and Epic Games (Fortnite). If you have not bought yet and want to understand how a safe purchase works end-to-end, read our guide on how to buy game accounts safely first.
1. Change the Email to One You Control
This is the single most important step, and it must come first. Every major gaming platform uses the registered email address as the ultimate account-recovery anchor. If the email tied to the account still belongs to the seller, they can trigger a "forgot password" flow at any time and lock you out — even after you change the password.
The seller may or may not have provided access to the original email inbox. If they did, use it now to complete the email-change verification. If they did not, contact the marketplace's support immediately; a reputable seller will cooperate because it is part of a clean handover.
- Riot (Valorant / LoL): Account settings → Sign In & Security → email. You may need to verify from the old inbox. Our step-by-step: how to change your Valorant email.
- Steam (CS2): Account Details → Manage email address. Steam sends a verification to the current email, so original email access matters here too. See: how to change your Steam email.
- Epic Games (Fortnite): Account → General → Email → Edit. Epic requires a confirmation code sent to the existing address.
Use a dedicated email address for gaming accounts, one you do not use for anything else. If that inbox is ever compromised, the blast radius is limited.
2. Change the Password
Once the email is yours, change the password immediately. The seller knew the old one; there is no reason to leave it in place. A strong password is at least 16 characters, mixes upper and lower case with numbers and symbols, and is completely unique to this account — meaning you have not used it anywhere else.
The simplest way to meet all three criteria every time is a password manager (Bitwarden is free and open-source; 1Password and Dashlane are popular paid options). Let it generate the password, save it, and you never have to remember or reuse it. Do not use your username, your birthday, the game's name, or any password you already use elsewhere — credential-stuffing attacks try leaked username/password pairs across dozens of platforms, and a unique password makes you immune.
3. Enable Two-Factor Authentication
With a new email and password in place, two-factor authentication (2FA) is the next lock on the door. Even if someone obtains your password, they cannot sign in without the second factor. Use an authenticator app — Google Authenticator, Authy, or Microsoft Authenticator — rather than SMS where possible. SMS 2FA can be bypassed by SIM-swapping; an app-based code exists only on your device.
- Riot: account settings → Two-factor authentication → authenticator app.
- Steam: Steam Guard is Steam's built-in 2FA, managed through the Steam mobile app. Enable it immediately — it also gates marketplace trades, a useful secondary benefit.
- Epic: account → Password & Security → Two-factor authentication → authenticator app.
For a platform-by-platform breakdown of exactly where each toggle lives, see our guide on how to enable 2FA on your game account. When you enable 2FA you will usually see backup codes — store these in your password manager or print them. They are your way back in if you lose your phone.
4. Remove Old Phone Numbers and Deauthorize Devices
Phone numbers are a second recovery path. If the seller's number is still on the account, they could use "forgot password via SMS" — or platform support could restore access to them if they claim the account and cite the phone as proof.
- Remove any phone number you did not add yourself from the security settings, then add your own.
- Sign out of all active sessions. Most platforms have a "sign out everywhere" or "deauthorize all devices" option. This terminates any sessions the seller may still have open.
- On Steam specifically, review the authorized devices under Steam Guard and remove anything you do not recognise.
After signing out all sessions, sign back in yourself — this confirms only your devices hold active tokens.
5. Review Linked Accounts and Payment Methods
Before you connect your own accounts, check what is already linked.
- Connected social logins: Some accounts have Google, Apple, Facebook, or PlayStation logins linked as sign-in methods. Remove any you do not own — they are additional recovery vectors for whoever controls those social accounts.
- Linked consoles: A PlayStation or Xbox set as "primary" grants broad access. Delink consoles you did not set up.
- Saved payment methods: Check whether the seller left a card or PayPal on file and remove it immediately. Do not add your own payment method until steps 1–4 are complete — there is no benefit to adding a card while the account could still be recovered by someone else.
6. Keep Your Proof of Purchase
Marketplaces maintain transaction records; keep yours too. If you ever need to contact platform support and demonstrate you legitimately acquired the account, a timestamped receipt — showing what was bought, when, and from whom — strengthens your case. Save your order confirmation, any email receipts, and a screenshot of the credentials as delivered (stored privately). Keep these in a folder separate from the accounts themselves. They are proof of a good-faith transfer, which is relevant if your account is ever flagged and you need to explain its history. If you ever do lose access and need Steam's official process, our Steam account recovery guide covers what documentation support typically requests.
Platform Differences to Know
- Riot ties accounts to a region; region transfers are limited and can cost RP, so confirm the region before making purchases.
- Steam applies a multi-day trade/market hold after a major security change (new email, new authenticator) — expect this window after steps 1–3; it is a fraud-prevention measure, not a bug.
- Epic (Fortnite) has strict console-linking rules — an account can only be linked to one PlayStation or Xbox ecosystem at a time, and some links are hard to undo. Check link status before adding your own console.
| Step | What to do | Why it matters |
|---|---|---|
| 1 | Change the account email to your own | Closes the seller's password-reset path |
| 2 | Set a new, unique, strong password | Invalidates the credentials the seller knew |
| 3 | Enable authenticator 2FA; save backup codes | Blocks sign-in even if your password leaks |
| 4 | Remove seller's phone; sign out all devices | Kills active sessions and the SMS-recovery vector |
| 5 | Remove linked socials, consoles, saved cards | Strips alternate sign-in and billing exposure |
| 6 | Save your purchase receipt and confirmation | Supports your case if you ever need support |
Frequently Asked Questions
What is the single most important step?
Changing the email address. Every other security setting — password resets, 2FA recovery, phone-number recovery — routes through the registered email at the platform level. As long as someone else controls that inbox, they have a path back in. Change the email first, verify it, then work through the rest of the checklist.
What if I do not have access to the original email?
Contact the seller immediately and request email access long enough to complete the transfer. A seller operating through a vetted marketplace is incentivised to cooperate, since disputes and chargebacks are costly to them. If the seller is unresponsive, escalate to marketplace support and document the conversation. Some platforms have an account-recovery appeal process that weighs purchase evidence — which is where your proof of purchase (step 6) becomes useful.
How soon should I complete these steps?
Within the first hour of receiving the credentials. The longer the seller's email, password, and devices remain active, the larger the window of exposure. There is no benefit to waiting — log in, run through the checklist top to bottom in one sitting, and the account is yours. It takes roughly 15–20 minutes if you have access to the original email.
Can the seller still recover the account after I have done all of this?
If you have completed every step — new email you own, new password, your own 2FA, their phone removed, their devices signed out — the remaining risk is very low. Their most practical route was the email, and that is closed. The residual risk is a platform support appeal using original payment records, which is exactly why keeping your own proof of purchase matters: it gives you a counter-narrative. Buying from verified sellers on established marketplaces reduces that risk from the start.
Ready to buy your next account with confidence? Every listing on BuyAccount is checked before it goes live, with support if anything does not go as expected. Read our full buyer's guide before you shop, and if you have accounts you no longer use, you can apply to become a seller and pass them on to players who will put them to good use.