What to do if you think you’ve been hacked
This guide walks you through the first 60 minutes after a suspected breach — what to check, what to do immediately, and when to call for help.
Sign-in notifications from locations you don’t recognize, or sessions you didn’t initiate showing in account activity.
Contacts report receiving strange messages from you, or your Sent folder contains emails you don’t remember writing.
You’re suddenly locked out of an account you use regularly. An attacker may have changed your credentials.
Apps you didn’t install appearing on your device, or new accounts opened in your name that you didn’t create.
Unfamiliar transactions on credit cards, subscription charges for services you don’t use, or new purchases in cloud accounts.
Your security software detected and quarantined something suspicious, or your browser is redirecting to unexpected sites.
Restarting can destroy forensic evidence that helps identify what happened. Stay calm. Active malware rarely causes immediate data loss — the damage is usually already done or is gradual.
If you’re watching files encrypt in real time, or seeing a remote user control your cursor, unplug the ethernet cable and disable Wi-Fi immediately. This stops active exfiltration.
Use your phone or another computer — not the potentially compromised machine. Start with email (your email is the master key to everything else), then banking and critical services.
While you’re changing passwords, turn on multi-factor authentication. Even if an attacker has your new password, they can’t get in without your phone or authenticator app.
Attackers often set up silent forwarding rules so they keep receiving your email even after you change your password. In Gmail: Settings → See all settings → Forwarding. In M365: Mail settings → Email forwarding.
OAuth-connected apps can retain access even after a password change. Review connected apps in your Google, Microsoft, and social media accounts. Revoke anything you don’t recognize or no longer use.
Call the number on the back of your card — not any number from an email. Request a fraud alert, review recent transactions, and ask about temporary account freezes if necessary.
Document what happened. Write down a timeline — when you noticed the issue, what signs you saw, what accounts were affected, and what steps you’ve taken. This matters for any insurance claims or legal reporting.
Report to the FTC if fraud occurred. File a report at reportfraud.ftc.gov. This creates an official record and triggers identity theft recovery steps. Also report to ic3.gov (FBI’s Internet Crime Complaint Center) if financial loss was involved.
Notify affected parties if business data was exposed. If customer or employee data was accessed, most US states require breach notification. Consult a lawyer to determine your obligations — most statutes require notification within 30–60 days.
Get a proper security review. Once the immediate fire is out, a security professional should review your environment to find how the attacker got in and close the door.
Not always. It depends on what happened. A compromised email account with no malware on the device doesn’t require a wipe. Active malware or ransomware often does. A security professional can help you make the right call — and if you’re unsure, a fresh OS installation is never the wrong choice when security is at stake.
Not necessarily. If you clicked but didn’t enter credentials and nothing was downloaded, you’re likely fine. If you entered a username/password, treat that account as compromised and change the password immediately. If a file was downloaded and opened, run a malware scan right away.
The FBI and most security professionals advise against paying. Payment doesn’t guarantee your files will be recovered, marks you as a willing payer, and funds criminal operations. Call a ransomware specialist before paying anything. If you have good backups, a restore is almost always faster and cheaper than negotiating with attackers.
You’ve changed all passwords, enabled MFA, reviewed forwarding rules and connected apps, confirmed no malware is present, and rotated any API keys or credentials that may have been exposed. For a business breach, a professional security review provides confidence that the entry point is closed.
Need help securing your accounts?
Our team can audit your security posture, close the gaps, and make sure this doesn’t happen again.