What to do if you get hacked
What To Do If You Get Hacked explained in plain English. If your account has been compromised, the first few hours matter most. Here is a plain English.
Getting hacked is one of those things most people assume happens to someone else, right up until it doesn’t. Whether it is a compromised email account, a social media profile posting things you never wrote, or a bank alert about a transaction you did not make, the first few hours after discovering a breach matter more than most people realise.
The Short Version
- What To Do If You Get Hacked can be useful, but the right setup matters more than the marketing label.
- The safest choice depends on the data, account access and recovery options involved.
- Good technology decisions are usually about habits, settings and limits.
- The practical answer is to choose the tool that reduces risk without adding avoidable friction.
What The Tool Actually Does
Here is what you should actually do, in order, without panicking.
The National Cyber Security Centre guidance is a useful baseline for everyday security decisions because it keeps the focus on practical protection rather than marketing claims.
In the UK, cybercrime should be reported to Action Fraud, the national reporting centre run by the National Fraud Intelligence Bureau. You can do this online at actionfraud.police.uk or by calling 0300 123 2040. Reporting does not guarantee a personal investigation, but it contributes to a national picture of criminal activity and can support wider operations. If money has been taken from a bank account or payment card, contact your bank directly as well. The Authorised Push Payment fraud reimbursement rules that came into force in recent years mean you may be entitled to a refund if money was transferred without your authorisation. Your bank’s fraud line should be your first call.
A useful way to test what to do if you get hacked is to start with the failure case. Ask what happens if the device is lost, the account is compromised, or the provider changes its terms.
When It Is Useful
The first thing to do is get control of the affected account back. If you still have access, change the password immediately. Use something long, random, and unique to that account. If you cannot log in because the attacker has already changed the password, use the account’s recovery options, typically a backup email address or phone number. Most major services, including Google, Microsoft, Apple, and Meta, have identity verification processes for exactly this situation. Do this before anything else. Everything else can wait.
If any of your business accounts were involved, there is an additional consideration. Under UK GDPR, if personal data belonging to customers or staff was accessed as part of the incident, you are likely required to notify the Information Commissioner’s Office within 72 hours of becoming aware of the breach. The ICO has guidance on its website about when and how to report, and getting this wrong can create further problems.
The next step is to check recovery. A tool that works well on a normal day can still be a poor choice if it leaves you stuck during an emergency.
Where It Can Go Wrong
Your email account deserves special attention, because it is effectively the master key to almost every other account you have. Most password resets arrive by email, which means if an attacker controls your inbox they can reset any account they choose. If your email has been compromised, recovering it is the first priority. Once you have it back, check the recovery settings: backup email addresses, phone numbers, trusted devices. If any of these have been changed to ones you do not recognise, remove them. Look at recent login history if the provider offers it. Google and Microsoft both show recent sign-in activity with locations and device types, which can confirm whether someone is still inside your account.
The weeks after an incident are worth watching carefully. Hackers who access accounts do not always act immediately. They gather information, return later, or sell credentials to others. Check your accounts and bank statements regularly for the next month. Be suspicious of any unexpected communications asking you to verify details, confirm a purchase, or provide access to anything. If you receive calls claiming to be from your bank, a government department, or a technology company reporting suspicious activity on your account, treat these with scepticism. Legitimate organisations will not ask you to move money, hand over login codes, or install software in response to an unexpected call.
That is why practical technology decisions should be judged by everyday use and recovery, not only by features.
The Settings That Matter
Most people reuse passwords, which means a breach of one account can cascade into others. If the hacked account shared a password with anything else, change those passwords too. Work through the obvious ones first: banking, your main email, Amazon, PayPal, Apple ID or Google account. Then work outwards to anything else you care about. This is also the moment to start using a password manager if you do not already. A good password manager generates and stores unique passwords for every account, which means a future breach of one account stays contained. 1Password, Bitwarden and Dashlane are all solid options at different price points.
Getting hacked is rarely a sign of carelessness. Credential stuffing attacks, phishing campaigns, and data breaches at large companies mean that some of your login details are probably already circulating in parts of the internet you never visit. The real question is not whether your details are out there, but whether an attacker can do anything useful with them. Unique passwords, two-factor authentication, and fast action when something goes wrong are the practical answers. None of this requires technical knowledge, just the willingness to spend an hour or two getting things sorted properly.
What To Check Before You Rely On It
Turn on two-factor authentication on every account you can. Two-factor authentication, usually shortened to 2FA, means that even if someone has your password they still cannot log in without a second confirmation, typically a code sent to your phone or generated by an app. It is the single most effective thing you can do to protect your accounts going forward. Authentication apps such as Google Authenticator or Microsoft Authenticator are more secure than SMS codes, which can be intercepted, but SMS is still a significant improvement over nothing at all. Go through your important accounts one by one and switch 2FA on.
The Safer Everyday Habit
Once the immediate access problem is solved, think about what the attacker may have been able to see. An email breach might mean personal correspondence and documents have been read. A social media breach is often limited to posts made on your behalf, but some accounts have payment methods attached. An account linked to a shopping or marketplace site might mean orders have been placed in your name. Work out the realistic worst case for the account that was compromised and act on it. If payment details were stored, check for unauthorised transactions. If personal information was visible, such as your date of birth, address, or phone number, stay alert over the following weeks to unusual requests or calls, which may be attempts to impersonate you elsewhere.
A Worked Example
Imagine a reader is looking at what to do if you get hacked and trying to decide whether it matters in practice. The first mistake would be to accept the label without checking the details behind it.
A better approach is to list the claim, the evidence, the cost and the downside. If any one of those is unclear, the decision needs more work before it deserves confidence.
That small pause changes the whole exercise. Instead of reacting to a headline, the reader is testing whether the idea survives contact with real constraints.
What This Means For You
The useful point is not to memorise every detail of what to do if you get hacked. It is to know which questions make the topic safer to use.
Start with the plain-English version, then compare it with the evidence. The related Cristoniq guides on Password managers: why you need one and Backing up your data are good next checks.
If the idea still makes sense after that, you have a better basis for action. If it only works when the awkward details are ignored, that is the answer.
In Plain English
What To Do If You Get Hacked is not a magic phrase. It is a practical idea that needs context before it becomes useful.
The simple rule is to ask what the term means, what problem it solves, and what new risk it creates.
When those answers are clear, the topic becomes easier to judge. When they are vague, slow down.