Think You Have Been Hacked? A Calm, Step-by-Step Recovery Plan
Heads up: this article contains affiliate links. If you buy through them we may earn a commission at no cost to you. We only recommend tools we trust — see our disclosure.
That sinking feeling when something looks off with one of your accounts is awful. Maybe a friend texted to say you sent them a weird link, or you got an email about a password change you never made, or your phone suddenly lost signal for no reason. Your heart starts pounding and your brain jumps straight to the worst case.
Take a breath. Most situations like this are completely recoverable, and panic is the only thing that makes them worse. This is a calm, ordered plan you can follow start to finish. We'll figure out whether you've actually been hacked, then lock everything back down in the right sequence so the bad guys lose access for good.
First, let's figure out if you were actually hacked
Not every glitch is a hack. Sometimes an app just logs you out, or a service has an outage, or you genuinely forgot a password. Before you tear everything apart, look for real signs of trouble. They differ by what kind of account or device you're worried about.
Your email account
Email is the big one, so watch it closely. Warning signs include: messages in your Sent folder that you never wrote, contacts replying to things you didn't send, password-reset emails for other services arriving out of nowhere, or your inbox suddenly empty because someone deleted everything to cover their tracks. A new "rule" or "filter" you didn't create is a huge red flag too.
Social media
Look for posts, comments, or direct messages you didn't make, your profile photo or bio changed, new accounts you're suddenly following, or a notification that your login email or phone number was updated. Friends telling you "you sent me a strange link" is one of the most common first clues.
Bank, card, and payment accounts
Check for charges you don't recognize, even tiny ones (thieves often test a card with a $1 charge before going bigger), new payees or transfers you didn't set up, alerts that your address or phone number changed, or a card declined when you know there are funds.
Your computer
Signs include sudden, dramatic slowness, programs you never installed, your browser homepage or search engine swapped out, a flood of pop-ups, your security software turned off, or files you can't open. A demand for payment to "unlock" your files is ransomware and deserves its own playbook.
Your phone
Watch for your battery draining unusually fast, data usage spiking, apps you didn't install, settings that changed on their own, and the scariest one: losing cell signal entirely while others around you have it. That can mean a SIM swap, where someone tricks your carrier into moving your number to their device.
The first few minutes: stay calm and get to a clean device
Here's the single most important rule of recovery: do your cleanup from a device you trust. If your laptop might be infected, don't use it to change your passwords, because malware could simply capture the new ones as you type. Grab a different device you're confident is clean, like your phone (if the phone isn't the problem) or a family member's computer.
Resist the urge to do everything at once. Close the tabs, put the panicked to-do list aside, and work the steps below in order. Acting in the right sequence is what actually shuts the attacker out, while flailing often just tips them off that you've noticed.
One more thing: don't click any "you've been hacked, call this number" pop-ups or links. Those are frequently scams designed to make a real problem worse. We'll fix this with the steps here, on your own terms.
Secure your email first — it's the master key
If you only do one thing today, do this one. Your email is the master key to your entire online life. Think about it: when you click "forgot password" on almost any site, where does the reset link go? Your email. Whoever controls your inbox can reset the password on your bank, your social accounts, your shopping, everything. That's why we lock it down before anything else.
Start here, in this order:
- Change your email password to something brand new, long, and unique (more on doing that properly below).
- Sign out all other sessions. Most providers have a "security" or "your devices" page with a button like "Sign out of all devices" or "Log out everywhere." This instantly kicks the attacker off, even if they still know the old password.
- Turn on two-factor authentication if it isn't already (covered below).
- Check your recovery settings. Make sure the backup email and phone number listed are yours and not something the attacker slipped in.
If you're not sure where to begin or want a friendly walk-through of the basics, the Start Here guide lays out the foundations in plain language.
Change your passwords the right way
Changing a password sounds simple, but most people do it in a way that leaves them exposed. The goal is a password that is long, random, and used on exactly one account. The reason for "one account" matters: if you reuse the same password everywhere, a breach at one tiny website hands attackers the keys to all the others. This trick even has a name, "credential stuffing," where criminals take a leaked password and try it on hundreds of other sites automatically.
Nobody can remember dozens of unique, random passwords, and you shouldn't try. This is exactly what a password manager is for. It's a secure app that creates strong passwords, stores them encrypted, and fills them in for you. You only have to remember one strong master password to unlock the vault. Good, trustworthy options include Bitwarden and 1Password.
If you're setting one up for the first time, our guide on how to set up a password manager walks you through it step by step, and our roundup of the best password managers compares the top choices.
When you're in cleanup mode, change passwords in this priority order:
- Email (you already did this).
- Banking and financial accounts.
- Anything tied to money: shopping sites with saved cards, PayPal, Venmo.
- Social media and other accounts where being impersonated could hurt you.
- Everything else, especially anywhere you reused the compromised password.
Need a strong one right now? Use our free password generator, and if you're curious how sturdy a password really is, run it through the password strength checker.
Turn on two-factor authentication everywhere it counts
Two-factor authentication (2FA) means logging in needs two things: something you know (your password) and something you have (a code or a tap on your phone). Even if a thief steals your password, they can't get in without that second factor. It is one of the most effective protections you can switch on, and it takes a couple of minutes per account.
Not all 2FA is equal, though. Here's the ranking from good to best:
- Text-message (SMS) codes — better than nothing, but vulnerable to SIM-swap attacks, where someone hijacks your phone number.
- Authenticator apps — generate codes right on your device, with no phone number to steal. A solid, free upgrade.
- Hardware security keys — a small physical device, like a YubiKey, that you tap or plug in. These are the gold standard and are extremely resistant to phishing.
For a deeper comparison of the three approaches, see our guide on SMS vs. app vs. hardware key. At minimum, get your email and bank onto an authenticator app or a hardware key today.
Check whether your data is already in a known breach
Once the immediate fires are out, find out how exposed you are. When companies get breached, the leaked email-and-password lists often circulate publicly. You can check yourself safely without handing over anything sensitive.
Use our breach check tool to see whether your email address has shown up in known data breaches. If it has, that tells you which accounts to prioritize. You can also test a specific password with the pwned password checker to see if it has appeared in past leaks. If a password shows up there, stop using it everywhere, immediately.
Don't panic if your email appears in a breach or two; that's extremely common and doesn't mean you're currently hacked. It's simply a signal to make sure every affected account has a fresh, unique password and 2FA turned on.
Scan for malware
If the trouble might be on your computer or phone rather than just an online account, you want to rule out malware (malicious software hiding on your device). Skipping this step is risky, because new passwords don't help if something is silently recording them.
On Windows, the built-in Microsoft Defender is genuinely good. Open it and run a full scan, not just a quick one. On a Mac, malware is rarer but not impossible; a reputable scanner can give you peace of mind. On phones, stick to the official app store, delete any app you don't recognize, and check which apps have unusual permissions.
A few practical tips:
- Update your operating system and browser first; many infections exploit known holes that updates have already patched.
- If a scan finds and removes something, change your important passwords again afterward, from a clean device, since the malware may have captured the earlier round.
- If your computer is heavily infected and acting bizarrely, a full factory reset (after backing up your personal files) is sometimes the cleanest path forward.
Audit the sneaky settings attackers leave behind
This is the step most people forget, and it's where attackers hide so they can come back even after you change your password. Walk through each of these in your important accounts, especially email.
Email forwarding rules and filters
Attackers love to set up a quiet rule that secretly forwards a copy of every email to their own address, or that auto-deletes bank alerts so you never see the fraud. Go into your email settings, find "Filters" or "Rules" and "Forwarding," and delete anything you didn't create.
Account recovery options
Re-check your recovery email and recovery phone number on every important account. If an attacker added theirs, they can reset your password again later. Remove anything that isn't yours.
Connected and third-party apps
Over the years you've probably clicked "Sign in with Google" or "Connect to Facebook" on lots of services. Each one keeps a door open. In your account's "Security" or "Connected apps" section, review the list and revoke anything you don't recognize or no longer use. This is a common backdoor attackers exploit.
Active sessions and devices
Look at the list of devices currently signed in. If you see a location or device that isn't you, sign it out and change the password again.
Lock down your money and watch for fraud
If there's any chance financial accounts were touched, treat this as urgent but, again, methodical.
- Call your bank or card issuer using the number on the back of your card, not a number from an email or pop-up. Tell them you suspect fraud. They can freeze the card, reverse fraudulent charges, and issue a new number.
- Turn on transaction alerts so you get a text or push notification for every charge. This turns you into your own early-warning system.
- Review recent statements line by line for anything unfamiliar, including small "test" charges.
- Consider a credit freeze. In the US, you can freeze your credit for free at all three major bureaus, which stops criminals from opening new accounts in your name. You can unfreeze temporarily whenever you need credit.
- Watch for follow-up scams. After a breach, fraudsters sometimes call pretending to be "your bank's fraud department." Hang up and call the official number yourself.
Warn the people in your circle
If your email or social accounts were taken over, the attacker may have messaged your contacts pretending to be you, often with a link or a "I'm stuck and need money" plea. A quick heads-up protects the people you care about.
Once you've regained control, post or message your contacts: "My account was compromised. If you got an odd message or link from me recently, please don't click it." Keep it short and calm. You don't owe anyone a detailed explanation, and a simple warning stops the scam from spreading.
Mini-playbooks for specific situations
The steps above apply broadly, but here are the focused moves for the most common scenarios.
Email account hacked
- From a clean device, reset your password and "sign out everywhere."
- Remove any forwarding rules, filters, and recovery options you didn't set.
- Turn on an authenticator app or hardware key.
- Because email resets other accounts, then change passwords on your bank and other key services.
- Warn your contacts about any messages sent in your name.
Social media account hacked
- Try the platform's official "My account was hacked" recovery flow; every major network has one.
- If you still have access, change the password, sign out all sessions, and check that the email and phone on file are yours.
- Remove connected third-party apps you don't recognize.
- Delete any posts or messages the attacker made and tell followers to ignore them.
Bank or card compromised
- Call the official number on your card immediately and report fraud.
- Freeze or cancel the affected card and request a new number.
- Change your online banking password and enable the strongest 2FA available.
- Set up transaction alerts and review the last few months of activity.
- Consider a credit freeze to block new accounts being opened in your name.
Computer infected
- Disconnect from the internet to stop it phoning home or spreading.
- Run a full malware scan with built-in or reputable security software.
- Update your operating system and browser.
- From a different, clean device, change your important passwords.
- If it's badly compromised, back up personal files and do a clean reinstall or factory reset.
Phone or SIM swap
- If you suddenly lose all cell signal unexpectedly, call your carrier right away (from another phone) to check whether your number was ported.
- Ask the carrier to restore your number and add a port-out PIN or account lock to prevent it happening again.
- Because SIM swaps target text-message codes, move your 2FA off SMS and onto an authenticator app or hardware key.
- Check your email and bank for any access that happened while the attacker had your number.
Build habits so this doesn't happen again
Recovery is the hard part; staying safe afterward is mostly a handful of small habits. None of these require you to be technical.
- Use a password manager so every account has a long, unique password without you memorizing anything.
- Turn on 2FA on your email, bank, and main social accounts, ideally with an authenticator app or hardware key.
- Keep devices updated. Turn on automatic updates so security holes get patched without you thinking about it.
- Slow down on links and attachments. Most break-ins start with a convincing fake message. When in doubt, go to the site directly instead of clicking. Sharpen your instincts with our phishing quiz.
- Add a port-out PIN with your phone carrier to block SIM swaps.
- Check in occasionally. Run your email through the breach check now and then so you're not caught off guard.
If you'd like to build these skills properly and at your own pace, the training section turns all of this into simple, friendly lessons.
The quick version
- Don't panic. Most hacks are fully recoverable when you work the steps in order.
- Confirm it's real by looking for the specific signs for your email, social, bank, computer, or phone.
- Do all cleanup from a clean, trusted device so malware can't grab your new passwords.
- Secure your email first — it's the master key that can reset every other account.
- Give every account a long, unique password using a password manager like Bitwarden or 1Password.
- Turn on two-factor authentication, ideally an app or a YubiKey rather than SMS.
- Check your exposure with the breach check and scan for malware.
- Audit forwarding rules, recovery settings, and connected apps — that's where attackers hide.
- Lock down money, set alerts, consider a credit freeze, and warn your contacts.
- Lock in a few prevention habits so you don't have to do this again.
Liked this?
Get one short, useful security email when we publish something new.
More in Guides
How to Set Up a Password Manager for Your Whole Family
Shared logins on sticky notes and reused passwords put the whole household at risk. Here is how to…
Smart Home Security: Locking Down Cameras, Speakers, and Connected Devices
Every smart plug, camera, and speaker is a tiny computer on your network. Here is how to enjoy…
A Traveler's Digital Security Guide: Safe Before, During, and After Your Trip
Travel puts your devices and accounts in unfamiliar, riskier places. Here is a calm checklist for keeping your…