What to do if you think one of your online accounts has been hacked

You learn of messages sent from you that you never wrote, you get a notification about a new login from a device you don’t recognize, you get an unsolicited text message with a verification code, or you receive a phone call asking you to verify your identity. There is suspicious activity and you think one of your many online accounts might have been hijacked by hackers. What now?

You need to act quickly, but also precisely. With cool and critical thought, you can limit the damage and work toward regaining control of an account that may have been breached. Take these steps to regain control of a hacked account, secure it, and protect your other accounts as well.

Confirm whether the specified account was actually hacked

Is there news online that the website or service had a data breach? If so and there’s not been any indicator of unauthorized logins yet, a simple password reset may secure you.

Bitwarden Head of Information Security, Bart Falzarano, suggests: “Have you received any email notifications or alerts indicating that your account was logged in from a new location? If so, the first thing to do is to carefully review the communication email to determine if the email is legitimate as it could be a phishing or social engineering attack. Verify that the email address is actually from the company, and instead of clicking a link in the email, go to the website directly.”

If you received one of these communications from someone claiming to be from a “customer support” team or another suspicious email that doesn’t hold up under scrutiny, you might not have been compromised at all, and the person contacting you is trying to trick you, through social engineering or phishing emails, into giving them the login credentials they need to gain access to your account.

Next, on a device that’s safe (see below), try logging into the specific account. Are you able to access it? If so, do you see any strange activity in the account or settings adjustments you didn’t make? Some services offer security logs to see devices that have logged in. Do you see anything suspicious?

Investigate if your 2FA method was compromised

Should you find that there was unauthorized access or activity on the account, recall if two-factor authentication was turned on. If so this could mean that your second factor, such as your authenticator app, email address, or phone number, was also compromised.

TIP: If your phone isn’t working and isn’t receiving text messages, then you were likely the victim of a SIM-swap attack, which has greater implications. Your first priority would be to work with your phone carrier to recover your phone number.

Ensure your device is safe

If you do believe you were hacked, before any action is taken you need to be sure that your device isn’t compromised with malware. Any malware on your desktop computer, laptop, or phone will negate any efforts made here.

“If a virus, malware, or other exploit is running on your device and intercepting or stealing your information, your account or accounts may continue to get hacked even after you’ve changed passwords,” “Falzarano says. “There are several inexpensive antivirus and anti-malware type tools available for personal users that can be used to scan your device for viruses and malware. Run a scan and be sure that your device is free from any virus, infostealer malware, or other exploit.”

You could also use another device you’re sure is clear, or even completely reset your computer – the nuclear option.

Now that specific account needs to be secured as quickly as possible.

If you can access the account:

Immediately go to the account security settings and change your password to a strong, unique password that you’ve never used anywhere else. Use a strong password generator tool to come up with a secure password or passphrase. For now, write down that password on paper. Double and triple-check you wrote it down correctly!

Next, turn on two-factor authentication (2FA), also commonly referred to as multi-factor authentication (MFA), two-step verification, multi-step login, or other similar terms. If you already had 2FA on and the account was still compromised, reset the 2FA method and set up a new one. If you were using an authenticator app and you’re certain your phone is not compromised, try using a new app. There are several free authenticator apps available. If your email address is secure, you can use an emailed code. If the website only supports SMS and your phone number is receiving text messages, then you should enable that as any 2FA is better than no 2FA.

TIP: When you set up two-factor authentication, you may also be given the opportunity to generate recovery codes. Do so and print them out or write them down.

If the hacked account or service allows you to end active sessions or remove recognized devices, do so. This should force all devices to log out and require them to log in again.

If you cannot access the account:

Should your password not work, it could mean that the attacker changed your password to stop you from getting control back. Most websites have a “Forgot your password?” option that usually requires an email address. Try using this password reset link to log in.

“There is usually some sort of recovery mechanism that you were required to set up when first creating the account,” says Falzarano. “That can be sending an email, using a recovery phone, answering security questions, or working with support to go through recovery steps and proving or verifying your identity.”

If you still cannot log in, such as scenarios where the attacker enabled their own 2FA or changed the email address on the account, then contact customer support for the online account as soon as possible. Request that the account be locked until you are able to verify your identity. This is especially important for your primary email address and financial accounts.

Customer support can freeze your accounts. This is useful to halt cases with identity theft to stop any unauthorized transfers from banking accounts, providing access to other accounts, like those that include “Log in with [service]”, and halt password changes or other activities hackers might do to keep you locked out.

After you have been able to regain account control you need to make sure that the security in the account is strong and there are no backdoors or additional security risks.

Check for backdoors that hackers made for themselves and remove any recovery phone number or email address you don't recognize.

Check your hacked account’s settings

“If your account was compromised, be aware that the hacker or threat actor may have made changes to your account settings to weaken the security of your account in order to provide themselves a way to get back into your account,” says Falzarano. “They can change information like the address, or recovery information like email or phone number. You should also change security questions if applicable.”

• Be sure that only your email address or phone number are listed as recovery options

• Reset any security questions. Choose new ones, or change the answers to those of someone close to you, or answer nonsense words or phrases - be sure to write those down. Avoid easily traced questions like ‘mother’s maiden name.’

Notify customer support

This is especially important for financial institutions. Support teams can place your account in additional security protocols and reset any revealed information such as credit card numbers.

Take a deep breath. You’ve managed to take care of the most urgent tasks, but you still have some work to do. Assess anything that your account could have been used for by hackers to further their gains into your digital life or aid them in identity theft.

Duplicate passwords

Think, was the password used for the hacked account reused anywhere else? If so, it’s possible that one of your other accounts was part of a breach and your password is available on the dark web for anyone to try. On pen and paper, list out every other account that used the same password that you can remember. These are all now at risk for being hacked too.

A reused or weak password is the most common way for hackers to get into your account. Every password you have should be strong and unique!

Access to other accounts

Was the compromised account one that could grant access to other accounts? For example, your email address is often used for the “Forgot your password?” password reset functions on websites. Many websites also offer the Log in with [service] option. Write down any websites that could have been accessed through the hacked account.

Messages to others

If the hacked account was one that could be used to send messages to friends, check your message history and see if some of your contacts were messaged. Inform them of the hack and warn them not to click on any links they may have been sent or provide any information that might give access to your accounts.

Revealed personal information

Falzarano recommends: “There are other actions you might need to take. If it was a bank account with financial information in it, or a service where a credit card was stored, you’ll want to call the bank or credit card company to report a fraud alert and get account numbers changed. Depending on the type of information compromised, you may also want to enroll in a credit and identity theft protection service.”

Was there any other personal information revealed in the hacked account? Some of that data is valuable to hackers, such as phone numbers of friends, Social Security Numbers, PINs to debit cards or other services, and even notes that were stored could be in hackers’ hands. Work to notify whichever authorities are necessary to be sure that hackers aren’t able to commit fraud using your information.

Now that you’ve picked up the pieces, it’s time to take the steps to stop this from happening again and protect yourself from these digital security threats.

Secure your email account

If the hacked account was not your primary email address, then you’re lucky. Your email address is usually at the center of your digital life and is where password reset links, account security information, and 2FA codes get sent to. It’s critical that it’s secured.

• Update the password to a strong, unique password. A password generator tool can help. Be sure to write it down. A passphrase might be helpful to use instead to help it be more memorable.

• Add 2FA to the account. Depending on the service the options can vary greatly, but generally supported are hardware keys, authenticator apps, other devices, or alternate email addresses. Be sure to write down any recovery codes in case you lose access to your 2FA method!

Your primary email address can quickly become the center of your online identity and access to other accounts. Be sure it's secured!

Change all reused passwords

In a prior step you wrote down all the websites that used the same password as the one that was hacked. Now it is time to go through each of them, change them to new passwords, and enable 2FA for each of them. For best security, they should be strong, unique passwords that are generated by a program or other diceware tool. Be sure to write these passwords down and store them in a safe place.

Use a password manager

Look at all the passwords you’ve written down on paper. It would be great if there was some incredibly secure software that could remember all those and even type them in for you, right? Well luckily, such tools exist! A password manager like Bitwarden is able to generate, store, and autofill unique, strong passwords for every account, making it much easier to keep your digital life secure. Bitwarden also has tools to check whether your credentials have been leaked on the dark web or if you’re reusing passwords or have some that are weak.

Bitwarden Password Manager is free for everyone and gives you the tools you need to secure your accounts.

Using a password manager is recommended by many governmental agencies and the National Cybersecurity Alliance, whose article helped inform this guide. Falzarano says: “We’re seeing password manager requirements now being included in compliance and certification frameworks. Governments have also been updating their recommendations and guidelines to indicate that access to digital systems should be controlled using strong and unique passwords, two-factor or multifactor authentication, and password managers. Governments and compliance agencies understand the importance of password managers and what they can do to help individuals and businesses with all the applications and credentials they need to protect.”

Bitwarden offers a fully functional free plan that works on every device, can store unlimited logins, and keep everything in a secure, end-to-end encrypted vault. All you need to remember is just the main password for Bitwarden, which should be written down and secured in a safe place. Be sure to enable 2FA on the Bitwarden account as well, and also save the 2FA recovery code!

After completing all these steps you can rest easy and feel good knowing that you’ve vastly improved your security posture and protection against hackers. To stay informed and protected from more sophisticated attacks you can read up on other threats, such as AI-based phishing and social engineering. Also it’s a great idea to help friends and family members get secure online!