{"componentChunkName":"component---src-templates-blog-template-js","path":"/blog/what-to-do-if-you-get-hacked","result":{"data":{"markdownRemark":{"html":"<h1>What to Do If You Get Hacked</h1>\n<p>Getting hacked is stressful. It can feel personal, urgent, and confusing all at once. You may see a strange login alert,\nfind messages you did not send, lose access to an account, notice money missing, or hear from friends that they received\nsuspicious links from you.</p>\n<p>The most important thing is to avoid panic-driven decisions. Attackers often rely on speed, confusion, and pressure.\nYour goal is to slow the situation down, contain the damage, recover control, and then remove the weaknesses that made\nthe compromise possible.</p>\n<p>This guide walks through the practical steps to take if a personal account, business account, device, or online service\nhas been hacked.</p>\n<h2>1. Notify your employer immediately if work may be affected</h2>\n<p>If there is any chance your employer, customer, or another organization may be affected, notify the appropriate IT or\nsecurity team immediately. Do not wait until you have complete proof. This includes cases where the compromised device was\nused for work, enrolled as a bring-your-own-device (BYOD) device, used to access company email, used for single sign-on,\nor logged in to a company password manager, VPN, admin panel, source code repository, cloud console, or file-sharing\nservice.</p>\n<p>This should happen before you try to investigate everything yourself. The organization may need to revoke sessions,\nrotate credentials, check logs, isolate affected systems, or disable access while the incident is still unfolding.</p>\n<p>Delaying this notification can make the damage worse and may expose you to disciplinary action or liability if the\norganization suffers losses that could have been limited by prompt reporting. If no business services, devices, accounts,\nor data could be affected, continue with the personal recovery steps below.</p>\n<h2>2. Start from a clean device</h2>\n<p>If you think your computer or phone may be infected, do not use that same device to reset passwords or log in to\nimportant accounts. Malware can record new passwords, steal session cookies, capture screenshots, or intercept recovery\ncodes.</p>\n<p>Use a device you trust, such as:</p>\n<ul>\n<li>A fully updated phone or computer that does not show signs of compromise</li>\n<li>A family member's device that you trust</li>\n<li>A work-managed device, if your IT team confirms it is safe to use</li>\n</ul>\n<p>If you do not have access to a clean device, disconnect the suspected device from the internet and focus on getting help\nbefore entering new credentials.</p>\n<h2>3. Secure your email account first</h2>\n<p>Your email account is often the key to everything else. If an attacker controls your email, they can reset passwords for\nbanking, shopping, cloud storage, social media, developer platforms, and business tools.</p>\n<p>Start with your main email account and check the following:</p>\n<ul>\n<li>Change the password to a new, unique, strong password</li>\n<li>Enable multi-factor authentication if it is not already active</li>\n<li>Review recovery email addresses and phone numbers</li>\n<li>Remove recovery options you do not recognize</li>\n<li>Check forwarding rules and filters for suspicious changes</li>\n<li>Review recent login locations and active sessions</li>\n<li>Sign out of all other sessions if the provider offers that option</li>\n</ul>\n<p>Pay special attention to mailbox rules. Attackers sometimes create filters that hide security alerts, forward invoices,\nor silently copy password reset messages to another address.</p>\n<h2>4. Change passwords in the right order</h2>\n<p>After securing email, move to the accounts that can cause the most damage. Do not waste the first critical minutes on\nlow-value accounts while the attacker still has access to banking, cloud storage, or administrator tools.</p>\n<p>Prioritize accounts in this order:</p>\n<ol>\n<li>Email accounts</li>\n<li>Banking, payment, and cryptocurrency accounts</li>\n<li>Password vaults, identity providers, and single sign-on accounts</li>\n<li>Cloud storage, backups, and file-sharing services</li>\n<li>Work accounts, admin panels, hosting providers, and developer platforms</li>\n<li>Social media and messaging accounts</li>\n<li>Shopping, gaming, forums, and other lower-risk accounts</li>\n</ol>\n<p>Every new password should be unique. If you reuse the same new password across several accounts, one remaining weak\npoint can compromise everything again.</p>\n<h2>5. Revoke sessions, devices, apps, and tokens</h2>\n<p>Changing a password is important, but it may not remove an attacker who is already logged in. Many services keep active\nsessions alive after a password change unless you explicitly revoke them.</p>\n<p>Look for settings such as:</p>\n<ul>\n<li>Sign out of all devices</li>\n<li>Active sessions</li>\n<li>Trusted devices</li>\n<li>Connected apps</li>\n<li>App passwords</li>\n<li>API keys</li>\n<li>Browser extensions</li>\n<li>OAuth access</li>\n<li>SSH keys</li>\n<li>Recovery codes</li>\n</ul>\n<p>Remove anything you do not recognize. For business or developer accounts, rotate API tokens, deployment keys, SSH keys,\nwebhooks, and service account credentials that may have been exposed.</p>\n<h2>6. Turn on stronger multi-factor authentication</h2>\n<p>Multi-factor authentication, often called MFA or 2FA, can stop many account takeover attempts even when a password is\nstolen. If MFA was not enabled before, enable it now on your important accounts.</p>\n<p>Prefer stronger options where available:</p>\n<ul>\n<li>Hardware security keys</li>\n<li>Authenticator apps</li>\n<li>Backup codes stored safely offline</li>\n</ul>\n<p>SMS-based codes are better than having no second factor, but they are weaker than app-based or hardware-backed options.\nPhone numbers can be transferred through SIM swap attacks, intercepted in some situations, or abused through weak account\nrecovery processes.</p>\n<p>When you enable MFA, generate backup codes and store them somewhere safe. Otherwise, losing a phone or security key can\nturn recovery into a separate emergency.</p>\n<h2>7. Check for financial and identity damage</h2>\n<p>If the hacked account touches money, identity documents, invoices, customer data, or tax information, assume the attacker\nmay have copied useful details even if you regain access quickly.</p>\n<p>Check the following:</p>\n<ul>\n<li>Bank and card transactions</li>\n<li>Payment apps and saved cards</li>\n<li>Cryptocurrency exchange withdrawals and API keys</li>\n<li>New shipping addresses in shopping accounts</li>\n<li>New subscriptions or purchases</li>\n<li>Credit reports or identity monitoring, where available</li>\n<li>Tax, insurance, or government portals</li>\n</ul>\n<p>Contact your bank or payment provider immediately if you see suspicious activity. In many cases, faster reporting improves\nyour chance of reversing fraudulent transactions or limiting liability.</p>\n<h2>8. Preserve evidence before deleting everything</h2>\n<p>It is natural to want to clean up quickly, but deleting messages, logs, or files too early can make investigation harder.\nBefore removing suspicious items, preserve basic evidence. Do this before wiping or reinstalling a device, especially if\nmoney, company data, customer data, ransomware, or legal obligations may be involved.</p>\n<p>Useful evidence includes:</p>\n<ul>\n<li>Login alert emails</li>\n<li>Screenshots of suspicious account activity</li>\n<li>Sender addresses and message headers for phishing emails</li>\n<li>Transaction IDs and invoice details</li>\n<li>Login locations and timestamps</li>\n<li>Names of unknown devices or apps</li>\n<li>Support ticket numbers</li>\n<li>The original hard drive or SSD, if the device itself may need forensic analysis</li>\n</ul>\n<p>This information can help support teams, banks, law enforcement, insurers, internal IT teams, or incident responders\nunderstand what happened.</p>\n<p>If the laptop or desktop allows it, consider removing the original drive and installing a new hard disk or SSD for the\nfresh operating system installation. That gives you a clean system to work from while preserving the original disk in case\nit is needed for investigation. If you are dealing with a business incident, ask IT or an incident responder before\nchanging disks or powering the device on again.</p>\n<h2>9. Rebuild compromised devices from scratch</h2>\n<p>If the compromise may have started from malware, a malicious attachment, a fake browser extension, pirated software, or\nunknown remote-access tools, account recovery alone is not enough. The device itself may no longer be trustworthy. An\nattacker could have installed persistence mechanisms, modified system settings, captured session cookies, or left behind\nsoftware that steals the new credentials as soon as you enter them.</p>\n<p>In that situation, the safer default is not to \"clean\" the device manually. The safer default is to preserve any needed\nevidence first, back up only the data you truly need, wipe the device, and install the operating system fresh.</p>\n<p>Important precautions:</p>\n<ul>\n<li>Create the installer USB stick from an uncompromised device</li>\n<li>Download installation media only from the official operating system vendor</li>\n<li>Do not reuse old recovery images if you are unsure when the compromise started</li>\n<li>Back up documents, photos, and other necessary files, but avoid copying unknown executables, scripts, or installers</li>\n<li>Reinstall applications from trusted sources instead of restoring everything automatically</li>\n<li>Fully update the operating system and browser before logging in to important accounts</li>\n<li>Rotate passwords again if you entered them on the device while it may still have been compromised</li>\n</ul>\n<p>For a high-risk compromise, especially ransomware, business email compromise, administrator account takeover, or suspected\ndata theft, consider professional incident response help before wiping systems. In business cases, evidence may be needed\nfor investigation, insurance, legal obligations, or customer notification.</p>\n<h2>10. Notify people who may be affected</h2>\n<p>If attackers used your account to send messages, invoices, links, or files, warn the people who may have received them.\nKeep the warning short and specific.</p>\n<p>For example:</p>\n<blockquote>\n<p>My account was compromised. Please do not open links, attachments, payment requests, or shared files sent from me\nbetween [time] and [time]. I have regained access and am investigating.</p>\n</blockquote>\n<p>For businesses, notification may also be a legal or contractual requirement. If customer data, employee data, payment\ninformation, health information, or confidential client material may have been exposed, involve legal, compliance, and\nsecurity teams early.</p>\n<h2>11. Report the incident where appropriate</h2>\n<p>Not every hacked social account requires a police report, but some incidents should be reported. This is especially true\nfor financial fraud, identity theft, ransomware, business email compromise, stolen customer data, or threats involving\npersonal safety.</p>\n<p>Useful reporting channels may include:</p>\n<ul>\n<li>The affected service provider</li>\n<li>Your bank or payment provider</li>\n<li>Your employer's IT or security team</li>\n<li>Local law enforcement or national cybercrime reporting portals</li>\n<li>Insurance providers, if cyber insurance applies</li>\n<li>Customers, partners, or regulators, if data exposure is confirmed or likely</li>\n</ul>\n<p>Reporting also creates a record. That record can matter later if fraudulent activity continues or if you need to prove\nthat you acted quickly.</p>\n<h2>If you run a business, treat it as an incident</h2>\n<p>For organizations, a hacked account is rarely just an account problem. It may be the first visible sign of a broader\nincident. A compromised email inbox can expose customer conversations. A stolen administrator password can lead to data\nexfiltration. A leaked deployment key can affect production systems.</p>\n<p>Business response should include:</p>\n<ul>\n<li>Isolate affected devices and accounts</li>\n<li>Preserve logs before they rotate or are deleted</li>\n<li>Identify what the attacker accessed, changed, copied, or created</li>\n<li>Rotate passwords, API keys, certificates, tokens, and recovery codes that may be exposed</li>\n<li>Review mailbox forwarding rules, OAuth apps, admin roles, and new user accounts</li>\n<li>Remove stale access for former employees, vendors, and contractors</li>\n<li>Communicate clearly with affected stakeholders</li>\n<li>Document what happened and what will change afterward</li>\n</ul>\n<p>If the incident involves regulated data, customer data, ransomware, production infrastructure, or privileged access, get\nprofessional help early. Waiting too long can make containment and evidence collection harder.</p>\n<h2>Common mistakes to avoid</h2>\n<p>Some well-intentioned actions make recovery harder or create new risk.</p>\n<p>Avoid these mistakes:</p>\n<ul>\n<li>Not immediately informing your employer / IT department</li>\n<li>Resetting passwords from a device that may still be infected</li>\n<li>Reusing one new password across many accounts</li>\n<li>Ignoring email forwarding rules and recovery settings</li>\n<li>Forgetting to revoke active sessions and connected apps</li>\n<li>Deleting suspicious emails before saving evidence</li>\n<li>Assuming MFA means the account is automatically safe</li>\n<li>Waiting days to contact banks or service providers after financial fraud</li>\n</ul>\n<h2>After recovery: reduce the chance of it happening again</h2>\n<p>Once the immediate situation is under control, spend time strengthening your setup. Most account compromises are not\ncaused by advanced hacking. They come from reused passwords, phishing, weak recovery options, malware, exposed devices,\nor old access that nobody removed.</p>\n<p>A practical hardening checklist:</p>\n<ul>\n<li>Use unique passwords for every account</li>\n<li>Store passwords in a secure password manager instead of documents, notes, or chat messages</li>\n<li>Enable MFA on email, banking, cloud storage, work accounts, and social media</li>\n<li>Replace SMS-based MFA with stronger methods where possible</li>\n<li>Keep devices, browsers, and apps updated</li>\n<li>Remove unused apps, extensions, and connected services</li>\n<li>Review account recovery settings every few months</li>\n<li>Back up important files in a way ransomware cannot easily overwrite</li>\n<li>Teach family members or employees how to spot phishing and fake support requests</li>\n</ul>\n<p>Security does not have to be perfect to be much better. A few consistent habits can remove the easiest attack paths and\nlimit the damage if something goes wrong again.</p>\n<h2>Final thought</h2>\n<p>Getting hacked is not always a sign that you did something foolish. Attackers target people and businesses constantly,\nand even careful users can be tricked by a convincing phishing page, a reused password from an old breach, or a device\nthat was compromised quietly.</p>\n<p>What matters most is the response: secure email first, change passwords from a trusted device, revoke sessions, enable\nstrong MFA, check financial risk, preserve evidence, and notify anyone who could be affected. After that, improve the\nsystems and habits that make the next attack less likely to succeed.</p>","frontmatter":{"date":"June 29, 2026","slug":"what-to-do-if-you-get-hacked","title":"What to Do If You Get Hacked","description":"A practical step-by-step guide for containing damage, recovering accounts, protecting money and data, and reducing the chance of getting hacked again.","author":"Sascha Pfeiffer","featuredImage":null}}},"pageContext":{"slug":"what-to-do-if-you-get-hacked","lang":"en","langPathPrefix":""}},"staticQueryHashes":["2149092236","3128451518","3192060438"]}