🚨 What To Do If You Think You've Been Hacked (Step-by-Step)
On this page
- Step 1: Change the Password on the Compromised Account
- Step 2: Sign Out of All Devices
- Step 3: Check Account Recovery Settings
- Step 4: Enable Two-Factor Authentication
- Step 5: Check for Unauthorised Activity
- Step 6: Warn Your Contacts
- Step 7: Scan Your Devices for Malware
- Preventing Future Compromises
If you think someone has accessed your account without permission, act quickly but calmly. The faster you respond, the less damage an attacker can do. Follow these steps in order.
Step 1: Change the Password on the Compromised Account
Change the password immediately. Use a device you trust — ideally one you have already scanned for malware. Generate a new strong password using a password manager or our password generator. Make it at least 16 characters and unique to this account.
Important: If you can still log in, change the password before doing anything else. If the attacker changed the password and locked you out, use the "Forgot Password" option to reset it. If the recovery email or phone number has been changed, contact the service's account recovery team directly.
Step 2: Sign Out of All Devices
After changing the password, most services offer an option to "Sign out of all devices" or "Revoke all sessions" in the Security Settings. Use it. This forces any attacker currently logged in to authenticate again — and they will not have the new password.
Do not skip this step. Attackers often maintain active sessions that persist even after a password change. Signing out everywhere ensures those sessions are terminated. The Trusty Password manager companion complements password managers by generating unique credentials for every site.
Step 3: Check Account Recovery Settings
Attackers often change recovery email addresses, phone numbers, and security questions to lock the legitimate owner out. Go to Account Recovery or Security Settings and verify:
- Recovery email address — is it yours?
- Recovery phone number — is it your number?
- Security questions — were they changed?
- MFA methods — were any new authenticator apps or phone numbers added?
- Email forwarding rules — attackers set these up to intercept password reset emails
If any of these were changed, restore them immediately.
Step 4: Enable Two-Factor Authentication
If you did not have 2FA enabled before, enable it now. Use an authenticator app (TOTP) or a passkey. This prevents the attacker from logging back in even if they somehow obtain your new password. Learn how to set this up in our step-by-step 2FA guide.
Step 5: Check for Unauthorised Activity
Review what the attacker did while they had access:
- Emails sent — Check your Sent folder. Attackers often use compromised email accounts to send phishing messages to your contacts.
- Purchases and transactions — Check recent orders, payments, and transfers.
- API keys and app permissions — Revoke any that were added without your knowledge.
- Social media posts — Check for posts you did not make.
- Connected accounts — Some services let attackers sign in with your compromised account to access other services.
Step 6: Warn Your Contacts
If the attacker sent messages from your account, let your contacts know. A simple message — "My account was compromised. If you received a suspicious message from me, please ignore it and do not click any links" — prevents the attack from spreading to people who trust you.
Step 7: Scan Your Devices for Malware
Run a full antivirus scan on all devices you use to access the compromised account. Use a trusted security tool: Windows Defender (built into Windows), Malwarebytes, or Bitdefender. If the attacker gained access through malware on your device, cleaning it prevents recompromise.
Preventing Future Compromises
Once you have secured the immediate breach, take steps to prevent it from happening again: use a password manager, enable 2FA on every account, and avoid common password mistakes that put your accounts at risk.