Sign in
April 04, 2026

What to do if you have been hacked: an action plan

People often realize they have been hacked only after a delay: a strange email, an unexpected charge, a friend asking about a weird message, or suddenly being locked out. The goal is not to freeze, but to act in order — the first hours often determine how bad things get.

This guide is practical orientation, not a substitute for law enforcement or legal counsel where those are needed, but it helps you take back the initiative quickly. Pair it with common mistakes that lead to account hacks and where scammers get your data.

Step 0. Quickly gauge the scope

Clarify what happened:

  • A single service (social network, game, shop) versus email or phone as the “master key” to everything else.
  • A device (PC, smartphone) behaving oddly versus only a cloud account.
  • Any sign of financial impact (bank, wallets, cards).

That sets priorities: a compromised email or phone number is usually more urgent, because attackers use them to reset passwords everywhere.

Step 1. Stop the bleeding

If an account is involved:

  • From another clean device (or after checking the current one — see below), sign in and revoke all sessions where the service allows it.
  • Change the password to a new, unique, long one (ideally via a password manager).
  • Check backup email and recovery phone — attackers often swap them.
  • Enable or re‑configure two‑factor authentication. If SMS might be intercepted, prefer an authenticator app or a hardware key.

If a device is involved:

  • Where possible, disconnect from the network (Wi‑Fi, mobile data) without forcing a hard shutdown if important data is saving.
  • Do not type banking or email passwords on that device until you trust it again.

If money is at risk:

  • Block cards via the bank app or hotline.
  • Report unauthorized transactions and keep statements and screenshots.

Step 2. Regain control of anchor accounts

The usual anchors are email and your mobile OS account (Apple ID / Google). While an attacker controls them, they can reset passwords on many other sites.

  • Use the service’s official account recovery (support, identity checks).
  • Remove unknown devices and apps with access in security settings.
  • Check forwarding rules and filters in email — a common way to hide takeover activity.

Step 3. Walk the dependency chain

List services tied to the compromised email or the same password (if you reused passwords — see password mistakes):

  • Social, messengers, cloud, marketplaces, subscriptions.
  • Work accounts — notify IT or management if corporate data may be exposed.

For each: new password, check linked contacts, revoke suspicious sessions.

Step 4. Check devices for malware

If you typed passwords on a compromised PC or phone, rotating passwords on that same machine can expose the new ones again.

  • Run a full scan with built‑in security or a reputable antivirus.
  • Remove unknown browser extensions and suspicious programs.
  • Update the OS and browser.
  • When in doubt, change passwords only after cleanup or from another device.

Step 5. Document and report where appropriate

  • Screenshots of emails, login history, charges, support chats — with dates.
  • Police — for theft, extortion, threats, identity abuse.
  • Platform support — to stop abuse carried out in your name.
  • Credit‑related services if fraudulent applications are a realistic risk.

Step 6. After things are stable — harden

  • A password manager and unique passwords for important services.
  • 2FA everywhere it is offered.
  • Backup codes and recovery paths stored safely, not only in the same mailbox.
  • Alerts for bank transactions and login notifications.

What not to do

  • Do not pay random ransoms to anonymous demands without talking to authorities — it often leads to follow‑on scams.
  • Do not use links in email to “recover” an account unless you trust the sender. Open the site manually.
  • Do not dismiss a “small” account breach — it is often the stepping stone to the rest.

Short checklist

  1. Scope: account, device, or finances.
  2. Contain: sessions, passwords, cards.
  3. Recover email and cloud identity.
  4. Update other services in the chain.
  5. Scan devices. Rotate secrets from a trusted environment.
  6. Preserve evidence. Contact authorities and support as needed.
  7. Improve defenses for next time.

Being hacked is common enough that it should be treated as an incident, not a personal failure. A structured response limits damage and restores control faster than random trial and error.

Useful links:

All articlesNeed help