By default, all the accounts you ever create within MetaMask are generated from the same seed phrase, which is why any time you restore MetaMask from that seed phrase, you're able to recover the same accounts.
Since it can generate all of your accounts, it is the most secret item in your MetaMask vault, and if someone else gets it, you should be concerned.
If you were the victim of phishing, typically they will ask you to do one of the following:
1. Sending them funds (we cannot help you if you've done this)
2. Sending them the private key to an account (You should try to send any assets from that account to another as soon as possible)
3. Sending them your seed phrase. (You need to move all the assets off all those accounts as soon as possible).
Eventually, we might add features for emergency seed-phrase migrations, but until that time, if your seed phrase is compromised, you need to create a new vault, and then send your digital assets to that vault ASAP.
This means having two MetaMask accounts at once. To do this, you can either use a second browser (Firefox vs Chrome, for example), or if your browser supports "profiles", each profile gets its own extensions, and so you can have two different MetaMasks open on two different windows.
On Chrome, the profiles tab looks like this, in the top right:
Once you have a new profile, you can install the MetaMask extension on that profile, and then set up a fresh account. From there, you will want to create as many accounts as you want, copy their addresses, and then go back to your old vault and get to sending out all the assets you can.
These assets can include:
- ENS names
Make sure to send Ether last, or at least a little Ether last, since Ether is required to pay the transaction fees of all the other transactions.
Good luck, and let us know if you've been the victim of phishing!