What to do if you get hacked

Getting hacked is one of those things most people assume happens to someone else, right up until it doesn’t. Whether it is a compromised email account, a social media profile posting things you never wrote, or a bank alert about a transaction you did not make, the first few hours after discovering a breach matter more than most people realise.

Here is what you should actually do, in order, without panicking.

The first thing to do is get control of the affected account back. If you still have access, change the password immediately. Use something long, random, and unique to that account. If you cannot log in because the attacker has already changed the password, use the account’s recovery options, typically a backup email address or phone number. Most major services, including Google, Microsoft, Apple, and Meta, have identity verification processes for exactly this situation. Do this before anything else. Everything else can wait.

Your email account deserves special attention, because it is effectively the master key to almost every other account you have. Most password resets arrive by email, which means if an attacker controls your inbox they can reset any account they choose. If your email has been compromised, recovering it is the first priority. Once you have it back, check the recovery settings: backup email addresses, phone numbers, trusted devices. If any of these have been changed to ones you do not recognise, remove them. Look at recent login history if the provider offers it. Google and Microsoft both show recent sign-in activity with locations and device types, which can confirm whether someone is still inside your account.

Most people reuse passwords, which means a breach of one account can cascade into others. If the hacked account shared a password with anything else, change those passwords too. Work through the obvious ones first: banking, your main email, Amazon, PayPal, Apple ID or Google account. Then work outwards to anything else you care about. This is also the moment to start using a password manager if you do not already. A good password manager generates and stores unique passwords for every account, which means a future breach of one account stays contained. 1Password, Bitwarden and Dashlane are all solid options at different price points.

Turn on two-factor authentication on every account you can. Two-factor authentication, usually shortened to 2FA, means that even if someone has your password they still cannot log in without a second confirmation, typically a code sent to your phone or generated by an app. It is the single most effective thing you can do to protect your accounts going forward. Authentication apps such as Google Authenticator or Microsoft Authenticator are more secure than SMS codes, which can be intercepted, but SMS is still a significant improvement over nothing at all. Go through your important accounts one by one and switch 2FA on.

Once the immediate access problem is solved, think about what the attacker may have been able to see. An email breach might mean personal correspondence and documents have been read. A social media breach is often limited to posts made on your behalf, but some accounts have payment methods attached. An account linked to a shopping or marketplace site might mean orders have been placed in your name. Work out the realistic worst case for the account that was compromised and act on it. If payment details were stored, check for unauthorised transactions. If personal information was visible, such as your date of birth, address, or phone number, stay alert over the following weeks to unusual requests or calls, which may be attempts to impersonate you elsewhere.

In the UK, cybercrime should be reported to Action Fraud, the national reporting centre run by the National Fraud Intelligence Bureau. You can do this online at actionfraud.police.uk or by calling 0300 123 2040. Reporting does not guarantee a personal investigation, but it contributes to a national picture of criminal activity and can support wider operations. If money has been taken from a bank account or payment card, contact your bank directly as well. The Authorised Push Payment fraud reimbursement rules that came into force in recent years mean you may be entitled to a refund if money was transferred without your authorisation. Your bank’s fraud line should be your first call.

If any of your business accounts were involved, there is an additional consideration. Under UK GDPR, if personal data belonging to customers or staff was accessed as part of the incident, you are likely required to notify the Information Commissioner’s Office within 72 hours of becoming aware of the breach. The ICO has guidance on its website about when and how to report, and getting this wrong can create further problems.

The weeks after an incident are worth watching carefully. Hackers who access accounts do not always act immediately. They gather information, return later, or sell credentials to others. Check your accounts and bank statements regularly for the next month. Be suspicious of any unexpected communications asking you to verify details, confirm a purchase, or provide access to anything. If you receive calls claiming to be from your bank, a government department, or a technology company reporting suspicious activity on your account, treat these with scepticism. Legitimate organisations will not ask you to move money, hand over login codes, or install software in response to an unexpected call.

Getting hacked is rarely a sign of carelessness. Credential stuffing attacks, phishing campaigns, and data breaches at large companies mean that some of your login details are probably already circulating in parts of the internet you never visit. The real question is not whether your details are out there, but whether an attacker can do anything useful with them. Unique passwords, two-factor authentication, and fast action when something goes wrong are the practical answers. None of this requires technical knowledge, just the willingness to spend an hour or two getting things sorted properly.