"I've Been Hacked"

TL;DR

• "Hacked" usually means someone is signed into your account from somewhere else. It rarely means someone has broken into the platform itself. That distinction matters — and it makes the situation more recoverable than it feels.
• The first ten minutes decide most of the outcome. Work the steps below in order, calmly, from a different device if possible.
• Change the password and turn on two-factor authentication on the affected account first. Then the email account behind it, because the email is the master key to everything else.
• Tell the people in your circle quickly. A compromised account is often used to phish the people who trust you. A short heads-up message stops the second wave.
• After the immediate response is done, slow down for the recovery — review what the attacker might have seen, what payment methods they may have changed, and what they may have set up to keep their access (forwarding rules, app passwords, recovery numbers).

What it is

When someone says "I've been hacked," they almost always mean one of these things:

1. An attacker has signed into one of your accounts — most commonly email, social media, a shopping account, or a streaming account. They got your password from a phishing site, from a leaked database, from someone who watched you type it, or from reusing a password across sites.
2. An attacker has hijacked a session — they didn't get your password, but they got the cookie or token that proves you were already signed in (often through a malicious browser extension or a compromised website).
3. A device is infected — software has been installed that records what you type or steals what's on screen. Less common than people think, but real.
4. A SIM-swap — the attacker has convinced your phone carrier to move your phone number to their SIM card. Now they receive your text-message verification codes. Less common, more dangerous, mostly used on people with significant cryptocurrency or high-profile accounts.

The early signs are similar in all four cases:

• Login alerts from places you've never been.
• Password-reset emails for accounts you didn't ask to reset.
• Friends asking why you sent them a strange link.
• Posts, photos, or messages on your social account that you didn't create.
• Bank or card notifications for purchases you didn't make.
• Your phone showing "no service" suddenly and inexplicably.

What to do — the first ten minutes

Work through this list in order. Don't skip ahead, even if a step feels obvious. From a second device (a different phone, a tablet, a partner's laptop) if you can. If you can't, use the device you have — speed matters more than perfection.

1. Identify the affected account. If you're not sure which one — start with email. Email is the master key; almost every other account can be reset from it.
2. Sign out of every session on the affected account. Almost every major platform has a "log me out of all devices / sessions" button in security settings. Press it. This kicks the attacker off, at least for a moment.
3. Change the password. Use a strong, unique password — at least 14 characters, not used on any other site. A password manager makes this trivial; if you don't have one, write the new password on paper and store it somewhere safe for the day.
4. Turn on two-factor authentication. Use an authenticator app (Google Authenticator, Microsoft Authenticator, Authy, Aegis on Android) rather than SMS where possible. SMS 2FA is better than nothing, but it can be defeated by a SIM-swap.
5. Check and remove "trusted devices" and "app passwords." The attacker may have authorised a device or generated an app-specific password to keep access even after you change your main password. Remove anything you don't recognise.
6. Check the recovery email and recovery phone number. Attackers often change these so they can reset the account back to themselves. Restore them to your own contact details.
7. Check inbox forwarding rules and filters (for email accounts). One of the most common tricks: attacker sets a hidden rule that forwards a copy of every incoming email to themselves, so they can intercept future password resets. Open the filter/rule list and delete anything you didn't create.
8. Now do the same for your email account — if the compromised account wasn't already email. Email is the master key. If the attacker got into your shopping account, they probably also tried email.
9. Tell people. A short message — sent via a different channel like WhatsApp or text — to friends, family, and colleagues: "My account was compromised. If you got a strange message from me in the last day, ignore it." This stops the second wave of phishing the attacker is sending to your contacts.

What to do — the next 24 hours

The fire is out. Now check what the attacker may have done while inside.

• Review recent sign-in activity in the affected account. Many platforms show a list of devices and locations. Sign out anything unfamiliar.
• Review sent messages and posts. Did the attacker message anyone? Did they post anything? Apologise to anyone who got a strange message from you, and ask them to ignore any links.
• Review payment methods and saved cards. Attackers sometimes add their own card to your account so they can buy things on your stored billing or change a delivery address.
• Review connected apps and third-party access. Most platforms have a "connected apps" page; revoke anything you don't actively use.
• Check linked accounts. "Sign in with Google" or "Sign in with Apple" or "Sign in with Facebook" means a single account is a key into many others. If the central account was compromised, every linked downstream service may also be.
• For email specifically: search your trash for the password-reset emails the attacker may have used to break into other accounts. That's the clearest map of where they went next.

What to do — the following two weeks

• Watch for personalised phishing. Attackers who got into your inbox now know which bank you use, which shops you order from, who your colleagues are. Expect a follow-up wave of very convincing fake emails.
• Watch your bank and card statements for transactions you don't recognise — both large and very small (attackers often test with a tiny purchase before a big one).
• Watch your credit report if your country has free credit-monitoring (it does for most EU countries, the UK, the US, and many others). New credit applications you didn't make are a sign of identity theft — see the Identity Theft Recovery topic.
• Tell your bank, even if no money has moved. They can flag the account for review.

What NOT to do

• Don't ignore it because "nothing seems to be missing yet." Attackers sometimes sit quietly for days, mapping your accounts and waiting for a payday before acting.
• Don't reset everything on the compromised device if you suspect it's also infected. Use a different device for the recovery work — your phone, a borrowed laptop, anything.
• Don't reuse the new password anywhere. This is the single most common cause of repeat compromise.
• Don't pay anyone who contacts you offering to "fix" the hack. Recovery scams target people in this exact moment.
• Don't be ashamed. Account compromise happens to security engineers and to school-age kids and to retired teachers and to senators. The platform's own statistics tell you you're not alone.
• Don't post about it on the compromised account ("I was hacked, sorry for the messages"). Wait until you're sure you have control back, or post from a different account, because attackers sometimes keep a foothold and can edit your message after you post it.

Use AI to help you

Two prompts you can copy. Paste your situation in the brackets. Don't paste passwords or two-factor codes. Do paste the headers of any suspicious emails or screenshots of suspicious activity (with personal details masked).

Triage prompt:

"I think one of my accounts has been compromised. Here's what I noticed: [describe the signs]. The affected account is [type — email, social, shopping, etc.]. I am writing from [device type — my phone / a friend's laptop / etc.]. Please give me a step-by-step recovery plan for the next 30 minutes, in priority order, written as a numbered checklist I can follow without prior security knowledge."

Forensics prompt (after the fire is out):

"I have now secured my account: changed the password, turned on two-factor authentication, signed out other sessions, and removed unfamiliar devices. Please help me identify (a) the most likely how the attacker got in, based on what I describe, (b) what other accounts of mine are now at higher risk, and (c) what I should monitor for the next two weeks. Context: [what type of account, what you noticed, anything strange in your sent items or filters]."

A reminder: AI is a sharp thinking partner for triage and follow-up. It cannot, however, talk to your bank for you or recover access to an account you've been fully locked out of. Use it to plan and then use the official recovery channels.

Who to call

The order: the platform, your bank if money is involved, your country's cybercrime or anti-fraud authority.

• The platform. Every major service has a dedicated "my account was hacked" recovery flow. Examples: Google "Account recovery" (g.co/recover), Microsoft "I think someone else is using my Microsoft account" (account.microsoft.com), Apple "Recover an Apple Account" (iforgot.apple.com), Meta "Hacked account" (facebook.com/hacked, instagram.com/hacked), X / Twitter "Help with a hacked account." Use the platform's own page — never click a link in any email about it.
• Your bank, if any payment account was linked or if you see unfamiliar transactions. The official number on your card; never one from the suspicious message.
• Your phone carrier, if your phone suddenly shows "no service" or you can't make calls — this could be a SIM-swap. Call from a different phone immediately.

Then your national reporting body.

Find the latest contacts for your country with AI:

"I'm in [your country]. List the official channels I should contact if one of my accounts has been compromised — the national cybercrime reporting body, the financial fraud / banking ombudsman, the telecom regulator (for SIM-swap), and the data-protection authority. For each, give the official website and public phone number, and tell me which to call first depending on whether (a) an email or social account was taken over but no money has moved, (b) money has moved or cards are being charged, (c) I suspect a SIM-swap, or (d) personal data has been exposed alongside the account. Cite the official source page for each. Flag anything that might be outdated."

A short curated list (for the very latest, prefer the AI prompt above):

• English: UK — Action Fraud (actionfraud.police.uk). US — FBI IC3 (ic3.gov), FTC IdentityTheft.gov. Canada — Canadian Anti-Fraud Centre. Australia — Scamwatch, ReportCyber (cyber.gov.au).
• German: Germany — local Polizei online, BSI für Bürger. Austria — Watchlist Internet. Switzerland — National Cyber Security Centre (ncsc.admin.ch).
• French: France — Cybermalveillance.gouv.fr. Belgium — Safeonweb.be. Switzerland (FR) — ncsc.admin.ch.
• Italian: Italy — Polizia Postale.
• Spanish: Spain — INCIBE (017). Mexico — Policía Cibernética.
• Portuguese: Portugal — CNCS (1407). Brazil — CERT.br.

When to escalate beyond chat

• Money is moving and the bank's online tools aren't stopping it — call the bank's emergency line, today, and ask specifically for the fraud team. Tell them you suspect ongoing unauthorised access.
• Your phone has lost service unexpectedly — assume a SIM-swap in progress. Call the carrier from another phone now, and your bank, in that order. Move any text-message-based 2FA to an authenticator app as soon as you regain control.
• You've been locked out of email and you can't recover it — go in person to the local police station to file a report, and follow the platform's identity-verification recovery process. For Google and Microsoft, recovery can take days; document the timeline.
• Personal photos, intimate images, or sensitive documents may have been accessed — this is not only account compromise, it's potential identity theft and possible blackmail. Save evidence, do not respond to extortion, contact local police cybercrime unit.
• The compromised account belongs to an elderly relative who is panicking — go to them in person if you can. Walking them through the recovery sitting next to them is twenty times faster than over the phone.

Related topics

• Phishing & Scam Emails — the most common way attackers got the password in the first place.
• Passwords & Two-Factor — what to do now so this doesn't happen again.
• Identity Theft Recovery — if the attacker did more than just take over an account.
• "Your Data Was Leaked" — sometimes the password the attacker used came from a breach of a completely different site.

Sources & references (internal — not rendered to the live page):

• NCSC UK — "How to recover a hacked account" guidance
• Verizon Data Breach Investigations Report — stolen credentials as initial vector
• Google Security Blog — published recovery flow research
• FIDO Alliance — passkeys and the post-password recovery model