Hacked? Do This Now.
A calm, ordered checklist for the worst hour of your digital life – from locking the attacker out to making sure they cannot come back.
First 30 Minutes: Lock Them Out
- Start with email. Whoever controls your inbox can reset everything else. Change the password from a device you trust and enable two-factor authentication.
- Check recovery settings. Attackers add their own phone or email as recovery – remove anything you do not recognise, and check mail forwarding rules.
- Sign out everywhere. Every major service has a “sign out of all sessions” button in security settings – use it.
- Then banking and shopping accounts, then social media, in that order.
Next: Assess the Damage
- Look for password-reset emails you did not request – they show what the attacker touched.
- Check bank and card statements for small “test” charges before big ones.
- Check sent folders and DMs – attackers often message your contacts with scam links. Warn anyone who got one.
- If a work account is involved, tell your IT team immediately – faster reporting limits the blast radius.
Clean Your Devices
- Run a full scan with your antivirus or Windows Defender / macOS built-in protection.
- Remove browser extensions you did not install and check the browser’s start page and search engine settings.
- Update the operating system and browser – many compromises ride on old, unpatched software.
- If anything still feels off on a Windows PC, a clean reinstall is the only certain cure – back up files first.
Make It Not Happen Again
- Move to a password manager – unique passwords end the domino effect of one leak unlocking everything.
- Check yours with the password strength checker.
- Enable two-factor authentication on email, banking and socials – an authenticator app beats SMS codes.
- Learn the red flags with the scam message checker – most hacks start with one convincing message.