TheTest.com

What to Do If Your Account Is Compromised

Step-by-step emergency checklist for when you think an account has been hacked

If you think someone has access to one of your accounts, act fast. The first few minutes matter — an attacker with access to your email can reset passwords on your other accounts, lock you out further, and cause real damage. Do not panic, but do not wait either. Work through this checklist in order.

First 5 minutes: stop the bleeding

These are the most urgent steps. Do them right now.

  1. Change your password on the compromised account immediately. Use a long, unique password you have never used before. If you have a password manager, generate one. If you do not, use four or more random words strung together
  2. Enable two-factor authentication (2FA) if it is not already on. Use an authenticator app, not SMS if you have the choice. See our two-factor authentication guide for setup steps
  3. Check and fix your recovery email and phone number. Attackers often change these so they can reset your password again after you change it. Go to your account's security settings and make sure the recovery email and phone number are yours
  4. Log out all other sessions. Most services have an option to sign out everywhere. This forces the attacker out immediately:
    • Google: myaccount.google.com > Security > Your devices > Manage all devices > sign out any you do not recognize
    • Microsoft: account.microsoft.com > Security > Sign-in activity > review and end sessions
    • Apple: appleid.apple.com > Devices > remove any you do not recognize
    • Facebook/Meta: Settings > Security and Login > Where you're logged in > Log out of all sessions

If you are locked out and cannot change the password, skip to the account recovery section below.

First hour: assess the damage

Now that immediate access is cut off, check what the attacker may have done.

  1. Review recent account activity. Most services have a login history or security activity log. Look for logins from unfamiliar locations, devices, or IP addresses
  2. Check for email forwarding rules. This is a common trick — the attacker sets up auto-forwarding so they get a copy of everything even after you change your password. In Gmail, check Settings > Forwarding and POP/IMAP. In Outlook, check Settings > Mail > Forwarding. Delete any rules you did not create
  3. Revoke access to connected apps and services. Attackers sometimes connect third-party apps to maintain access. Review authorized apps in your account's security or privacy settings and remove anything you do not recognize
  4. Check for sent messages. Look in your sent folder and trash for messages you did not send. Attackers often send phishing emails or scam messages to your contacts from your account
  5. Check other accounts that use the same password. If you reused the compromised password anywhere else, change those passwords immediately. This is the biggest reason to use a password manager — it eliminates password reuse entirely

If you are locked out

If the attacker changed your password and you cannot get back in:

  1. Use the service's account recovery flow. Every major service has one:
    • Google: accounts.google.com/signin/recovery
    • Microsoft: account.live.com/password/reset
    • Apple: iforgot.apple.com
    • Facebook: facebook.com/login/identify
  2. Use your recovery email or phone number to receive a reset link or code. If the attacker changed these, the recovery process takes longer and may require identity verification
  3. Use recovery codes if you set up 2FA and saved your backup codes. This is exactly the situation they are for
  4. Contact the service's support if self-service recovery fails. Be prepared to verify your identity with things like previous passwords, account creation date, or payment information on file

Email compromised

Email is the most critical account because it controls password resets for everything else. If your email is compromised, treat it as a multi-account emergency.

  1. Work through the steps above to secure the email account first
  2. Check all forwarding rules and filters — delete anything you did not create
  3. Change passwords on your most sensitive accounts that use this email: banking, financial services, and primary social media. Do these even if they do not show suspicious activity, because the attacker could have intercepted reset emails
  4. Warn your contacts that your email was compromised. Attackers often send phishing messages to your contact list. A quick message telling people to ignore anything suspicious from your address can prevent further damage

Social media compromised

  1. Change the password and enable 2FA
  2. Review recent posts, messages, and profile changes. Delete anything the attacker posted
  3. Check connected apps in your account's settings and remove anything unfamiliar
  4. Alert your followers with a post explaining the situation if the attacker posted or messaged from your account
  5. Most platforms have a dedicated "report compromised account" option — use it. It can help speed up recovery and flag fraudulent activity

Bank or financial account compromised

Call your bank directly. Do not use a phone number from an email or text — find the number on the back of your card or on the bank's official website.

  1. Report the unauthorized access to the bank's fraud department. They can freeze the account, reverse fraudulent transactions, and issue new card numbers
  2. Change your online banking password and enable 2FA
  3. Review recent transactions carefully. Flag anything you did not authorize
  4. Consider a credit freeze at the major credit bureaus (Equifax, Experian, TransUnion) if you suspect identity theft. A credit freeze prevents anyone from opening new accounts in your name. It is free and can be lifted temporarily when you need it
  5. File a report with your local authorities and your country's fraud reporting service if money was stolen

Do not attempt to handle financial fraud through email or chat alone. A phone call to your bank is the fastest and most reliable way to stop ongoing damage.

Follow-up: prevent it from happening again

Once the immediate crisis is handled:

  1. Set up a password manager if you do not have one. See our password manager guide. This eliminates the password reuse problem that makes one breach turn into many
  2. Enable 2FA on every account that supports it. Start with email, banking, and social media. See our 2FA guide
  3. Check Have I Been Pwned at haveibeenpwned.com — enter your email address to see which data breaches have included your credentials. Change passwords for any breached services you have not already addressed
  4. Sign up for breach notifications at Have I Been Pwned so you are alerted if your email appears in future breaches
  5. Run a malware scan on your devices. If your password was stolen by malware rather than a data breach, changing passwords will not help until the malware is removed
  6. Review your security questions. If any accounts use security questions, make sure the answers are not guessable from your social media profiles. Better yet, use random answers stored in your password manager

Frequently Asked Questions

How do I know if I have been hacked?

Signs include: password suddenly stops working, login alerts from locations you do not recognize, messages in your sent folder you did not write, friends telling you they received strange messages from you, unexpected password reset emails, unfamiliar devices in your account's security settings, or unauthorized transactions. Check haveibeenpwned.com to see if your email has appeared in known data breaches.

What is Have I Been Pwned?

Have I Been Pwned is a free service created by security researcher Troy Hunt that lets you check if your email address or passwords have been exposed in data breaches. Enter your email at haveibeenpwned.com and it shows which breaches included your data. It also has a password checker (safe to use — it does not send your full password) and a notification service that emails you if your address appears in future breaches. Everyone should check it periodically.

Should I delete a compromised account?

Usually not right away. If you delete the account, an attacker could potentially recreate it with the same username or email and impersonate you. Instead, secure the account (new password, 2FA, clean up damage), then decide later whether you still want it. If you do decide to delete, make sure you have migrated any important data and updated any services that depend on that account first.

Can someone hack me again after I change my password?

Yes, if the original method of compromise is still active. If your password was stolen by malware on your device, the malware will capture your new password too — run a malware scan first. If you reused the same password elsewhere, change it everywhere. If the attacker set up email forwarding or connected apps, they can maintain access even after a password change. That is why the full checklist above is important, not just the password change.