What to do if you think you’ve been hacked
This story has been updated. It was originally published on October 9, 2017.
Being hacked can feel like a personal attack: You go to log into Facebook, Gmail, or iCloud—and your password doesn’t work, leaving you unable to access your most important online accounts. This worst-case scenario might bring on feelings of nausea and helplessness. Fortunately, you can take action in the face of digital vandalism. If you find yourself locked out of your accounts, major internet services have prepared a few routes for getting back in. As well as restoring your access, these companies help you limit the damage a hacker can do.
How do you know that someone else has truly taken control of one of your accounts? Not being able to log in is a big clue—but don’t immediately assume you’ve been hacked the moment your password doesn’t work. First, make sure the culprit is really a bad actor: For example, if you can’t get into your Facebook or Twitter account on your computer, try logging in on another device to see if you’ve really lost your access. Also make sure to double-check the password you’re typing before you start to suspect the worst.
Another warning sign can come in the form of email. Many services will send you messages about suspicious activity, such as when somebody logs into your account from an unfamiliar computer (or an unfamiliar country), or when somebody changes your username or password. Make sure to check your inbox for emails like these. Also, keep an eye out for messages from friends: If “you” have started sending them spam, they can alert you that your account was compromised.
Once you realize you’ve been hacked, it’s time to roll up your sleeves and take back your account.
Raise the alarm
The good news is that you have help: Google, Apple, Microsoft, and other tech giants don’t want impostors to take over your online identities either, so they’ll try their best to restore your access. For example, in some cases where you can’t open your account, it’s because the company sensed suspicious activity and automatically locked everyone out.
So when you suspect a hack, your first step is to tell the company. A quick web search, such as “report Gmail hack,” should reveal the right place to explain your problem. Before you start entering information, make sure that the page you visit is the official recovery page. Check the URL to make sure the page is hosted on the correct web domain for the service you’re trying to access, such as google.com or apple.com. We’ve also rounded up the best recovery practices for a few of the big players: For Google, try the steps listed here, try these for Apple, and find Microsoft’s tips here.
[Related: How to make sure no one is spying on your computer]
Then just follow the instructions the app or service gives you—these will be tailored specifically for your account. Different programs employ different recovery methods, so you might have to confirm your phone number or backup email address, or answer personal questions—such as a few queries about your Facebook friends—to prove you are the real account owner.
If you’re lucky, you’ll get back in pretty fast. That’s partially because today’s apps collect so much data about us that they can identify individuals through tidbits such as date of birth, phone number, and location. However, getting back into your account isn’t the last step you’ll need to take.
Change your passwords
Once you can log in once more—or if you could already access your account but have noticed suspicious activity—change your password to boot out any unwelcome visitors. The new code should be completely new; don’t recycle a past password or reuse the same string of letters and numbers that open another account. If you have been using that old password to access multiple accounts (which you really should not do!), change the password on your other accounts as well.
Most online services let you see all the devices where you’re logged in. Hunt around the security settings until you find this page. Then, log out of all other sessions except the one you’re currently using. For example, you can visit this Facebook page and this Google page to log out of sessions you don’t recognize.
While you’re poking around your account, review the other settings to make sure nothing has been changed. Look at your personal details, review any third-party apps connected to your account, check your security questions and answers, and confirm your backup email addresses and/or phone numbers are ones that belong to you. If you think your hacker had a chance to scan your security questions and backup accounts, try to change these on the compromised account and on any other account that relies on the same information. This will prevent the bad actor from using your personal details to breach other accounts in the future.
Speaking of other accounts, were your credit cards, bank accounts, or other financial programs connected to the compromised service? In this case, review your statements. If your hacker spent any of your money, you should try to claim back the cash as soon as possible—contact your bank directly and ask how to do this. While you’re checking for financial malfeasance, also review your account to see if the hacker added any unfamiliar payment methods or shipping addresses.
Run security checks
Having recovered from a hacking attempt, you’ll want to protect against any future ones. So activate the security features designed to prevent attacks—for more details, you can follow our guide to protecting your online accounts. One of the most helpful measures is turning on two-factor authentication, where logging in requires a code sent to your phone, on top of the standard username and password. And specific services offer their own security features: Facebook, for example, lets you add a list of trusted friends who can verify your identity if you get hacked again. Turn on this option via the Password and Security page in the site’s settings.
Next, try to find out how the hacker managed to access your account so you can prevent future incursions. This won’t always be possible, but it can’t hurt to run a thorough virus and malware scan of your hard drive (in case that’s how the attacker got in). Before you start, update both your operating system and your antivirus package of choice. After you run the review, get a second opinion from a standalone scanner like Kaspersky Virus Scanner for macOS or Microsoft Safety Scanner for Windows.
If the breach affected a service that includes email, such as your Google account, check the email account for sent messages or for new filters. For example, clever hackers can set up filters that forward all incoming mail to an address you don’t recognize. Delete such filters to prevent people from worming their way back into your account in the future. This is particularly important because you can reset many other accounts’ passwords, and receive notifications about suspicious activity, over email. You don’t want an eavesdropper to nab those recovery messages.
In fact, even if only one account becomes compromised, you should consider all your main services breached. Carry out a thorough security audit on all of them, working through all the steps we’ve mentioned above. For more details on strengthening the security of individual services, check out our previous guides to locking down your Google, Apple, Microsoft, and Facebook accounts.