Getting hacked is stressful. It can feel personal, urgent, and confusing all at once. You may see a strange login alert, find messages you did not send, lose access to an account, notice money missing, or hear from friends that they received suspicious links from you.
The most important thing is to avoid panic-driven decisions. Attackers often rely on speed, confusion, and pressure. Your goal is to slow the situation down, contain the damage, recover control, and then remove the weaknesses that made the compromise possible.
This guide walks through the practical steps to take if a personal account, business account, device, or online service has been hacked.
If there is any chance your employer, customer, or another organization may be affected, notify the appropriate IT or security team immediately. Do not wait until you have complete proof. This includes cases where the compromised device was used for work, enrolled as a bring-your-own-device (BYOD) device, used to access company email, used for single sign-on, or logged in to a company password manager, VPN, admin panel, source code repository, cloud console, or file-sharing service.
This should happen before you try to investigate everything yourself. The organization may need to revoke sessions, rotate credentials, check logs, isolate affected systems, or disable access while the incident is still unfolding.
Delaying this notification can make the damage worse and may expose you to disciplinary action or liability if the organization suffers losses that could have been limited by prompt reporting. If no business services, devices, accounts, or data could be affected, continue with the personal recovery steps below.
If you think your computer or phone may be infected, do not use that same device to reset passwords or log in to important accounts. Malware can record new passwords, steal session cookies, capture screenshots, or intercept recovery codes.
Use a device you trust, such as:
If you do not have access to a clean device, disconnect the suspected device from the internet and focus on getting help before entering new credentials.
Your email account is often the key to everything else. If an attacker controls your email, they can reset passwords for banking, shopping, cloud storage, social media, developer platforms, and business tools.
Start with your main email account and check the following:
Pay special attention to mailbox rules. Attackers sometimes create filters that hide security alerts, forward invoices, or silently copy password reset messages to another address.
After securing email, move to the accounts that can cause the most damage. Do not waste the first critical minutes on low-value accounts while the attacker still has access to banking, cloud storage, or administrator tools.
Prioritize accounts in this order:
Every new password should be unique. If you reuse the same new password across several accounts, one remaining weak point can compromise everything again.
Changing a password is important, but it may not remove an attacker who is already logged in. Many services keep active sessions alive after a password change unless you explicitly revoke them.
Look for settings such as:
Remove anything you do not recognize. For business or developer accounts, rotate API tokens, deployment keys, SSH keys, webhooks, and service account credentials that may have been exposed.
Multi-factor authentication, often called MFA or 2FA, can stop many account takeover attempts even when a password is stolen. If MFA was not enabled before, enable it now on your important accounts.
Prefer stronger options where available:
SMS-based codes are better than having no second factor, but they are weaker than app-based or hardware-backed options. Phone numbers can be transferred through SIM swap attacks, intercepted in some situations, or abused through weak account recovery processes.
When you enable MFA, generate backup codes and store them somewhere safe. Otherwise, losing a phone or security key can turn recovery into a separate emergency.
If the hacked account touches money, identity documents, invoices, customer data, or tax information, assume the attacker may have copied useful details even if you regain access quickly.
Check the following:
Contact your bank or payment provider immediately if you see suspicious activity. In many cases, faster reporting improves your chance of reversing fraudulent transactions or limiting liability.
It is natural to want to clean up quickly, but deleting messages, logs, or files too early can make investigation harder. Before removing suspicious items, preserve basic evidence. Do this before wiping or reinstalling a device, especially if money, company data, customer data, ransomware, or legal obligations may be involved.
Useful evidence includes:
This information can help support teams, banks, law enforcement, insurers, internal IT teams, or incident responders understand what happened.
If the laptop or desktop allows it, consider removing the original drive and installing a new hard disk or SSD for the fresh operating system installation. That gives you a clean system to work from while preserving the original disk in case it is needed for investigation. If you are dealing with a business incident, ask IT or an incident responder before changing disks or powering the device on again.
If the compromise may have started from malware, a malicious attachment, a fake browser extension, pirated software, or unknown remote-access tools, account recovery alone is not enough. The device itself may no longer be trustworthy. An attacker could have installed persistence mechanisms, modified system settings, captured session cookies, or left behind software that steals the new credentials as soon as you enter them.
In that situation, the safer default is not to "clean" the device manually. The safer default is to preserve any needed evidence first, back up only the data you truly need, wipe the device, and install the operating system fresh.
Important precautions:
For a high-risk compromise, especially ransomware, business email compromise, administrator account takeover, or suspected data theft, consider professional incident response help before wiping systems. In business cases, evidence may be needed for investigation, insurance, legal obligations, or customer notification.
If attackers used your account to send messages, invoices, links, or files, warn the people who may have received them. Keep the warning short and specific.
For example:
My account was compromised. Please do not open links, attachments, payment requests, or shared files sent from me between [time] and [time]. I have regained access and am investigating.
For businesses, notification may also be a legal or contractual requirement. If customer data, employee data, payment information, health information, or confidential client material may have been exposed, involve legal, compliance, and security teams early.
Not every hacked social account requires a police report, but some incidents should be reported. This is especially true for financial fraud, identity theft, ransomware, business email compromise, stolen customer data, or threats involving personal safety.
Useful reporting channels may include:
Reporting also creates a record. That record can matter later if fraudulent activity continues or if you need to prove that you acted quickly.
For organizations, a hacked account is rarely just an account problem. It may be the first visible sign of a broader incident. A compromised email inbox can expose customer conversations. A stolen administrator password can lead to data exfiltration. A leaked deployment key can affect production systems.
Business response should include:
If the incident involves regulated data, customer data, ransomware, production infrastructure, or privileged access, get professional help early. Waiting too long can make containment and evidence collection harder.
Some well-intentioned actions make recovery harder or create new risk.
Avoid these mistakes:
Once the immediate situation is under control, spend time strengthening your setup. Most account compromises are not caused by advanced hacking. They come from reused passwords, phishing, weak recovery options, malware, exposed devices, or old access that nobody removed.
A practical hardening checklist:
Security does not have to be perfect to be much better. A few consistent habits can remove the easiest attack paths and limit the damage if something goes wrong again.
Getting hacked is not always a sign that you did something foolish. Attackers target people and businesses constantly, and even careful users can be tricked by a convincing phishing page, a reused password from an old breach, or a device that was compromised quietly.
What matters most is the response: secure email first, change passwords from a trusted device, revoke sessions, enable strong MFA, check financial risk, preserve evidence, and notify anyone who could be affected. After that, improve the systems and habits that make the next attack less likely to succeed.