By default, all the accounts you ever create within MetaMask are generated from the same seed phrase, which is why any time you restore MetaMask from that seed phrase, you're able to recover the same accounts.
Since it can generate all of your accounts, it is the most secret item in your MetaMask vault, and if someone else gets it, you should be concerned.
DO NOT share this phrase with anyone! These words can be used to steal all your accounts. You can't edit/change your seed phrase.
If you were the victim of phishing, typically they will ask you to do one of the following:
- Sending them funds (We cannot help you if you've done this, we can't reverse transactions due to the immutable nature of the blockchain)
- Sending them the private key to an account (You should try to send any assets from that account to another as soon as possible)
- Sending them your seed phrase (You need to move all the assets off of all those accounts as soon as possible)
If your seed phrase is compromised, you need to create a new vault, and then send your digital assets to that vault as soon as possible.
This means having two MetaMask accounts at once. To do this, you can either use a second browser (Firefox vs Chrome, for example), or if your browser supports "profiles", each profile gets its own extensions, and so you can have two different MetaMasks open on two different windows.
On Chrome, the profiles tab looks like this, in the top right:
Once you have a new profile in your browser, you can install the MetaMask extension on that profile, and then set up a fresh account. From there, you will want to create as many accounts as you want, copy their addresses, and then go back to your old vault and get to sending out all the assets you can.
These assets can include:
- ENS names
Make sure to send Ether last, or at least a little Ether last, since Ether is required to pay the transaction fees of all the other transactions.
Good luck, and let us know if you've been the victim of phishing!