How to work out if you’ve been hacked and what to do about it

Everyone is vulnerable to the threat of cybercriminals or hackers getting access to your information, but the threats aren’t equal for everyone.

The average person will likely face fewer sophisticated threats than, say, a senior politician, activist or CEO. More high-profile figures may be targeted with phishing emails that are looking to steal secrets from corporate networks or initiate the transfer of large sums of money. You, your friends and your family will likely face different threats: from people you know seeking revenge, or, more likely, crime groups using automated tools to scoop up credentials en masse.

“We all like to think that we’re not susceptible to social engineering or other kinds of cyberattacks but the truth is that even intelligent, self-aware people still get caught up in online scams that can have very damaging consequences,” says Jake Moore, a cybersecurity specialist at Eset, an internet security company. “Many people will even admit they don’t click on phishing emails but may still get caught up in online scams. A number of emails may still slip through the net without realisation and can have serious effects financially or socially.”

Understanding the threats is key. Everyone has their own threat model that includes things that matter most to them – what’s important to you may not be equally important to someone else. But there’s a value to everything you do online: from Facebook and Netflix to online banking and shopping. If one of your accounts is compromised, stolen login information or financial details can be used across the web. It’s that sort of scenario that lets people order takeaways through compromised Deliveroo accounts.

While Facebook, Twitter, Instagram and other social networks are less likely to contain your credit card details there are other types of risk. Hacked social media accounts can be used to post compromising messages that could embarrass or defame somebody, be used for harassment or building up a picture of who you are and everyone you know.

“Discovering if you have been hacked can be a rather complicated task,” Moore adds. “You could wait to have it proven by losing control to your precious accounts although like anything, it is better to be proactive and stop it from happening in the future.” If you think you’ve been hacked, here’s where to start and what you can do next.

Spot unusual behaviour

The clearest sign that you’ve been hacked is when something has changed. You might not be able to access your Google account using your regular username and password or there may have been a suspicious purchases charged to one of your bank accounts. These are fairly obvious indications that you’ve been compromised in some way – and hopefully banks will detect any suspicious payments before things spiral too far.

However, before any of your accounts are compromised there may be warning signs. The account that someone is trying to break into may warn you about unusual attempts to log in: for instance, Facebook and Google will send notifications and emails alerting you to attempts to access your account. This will usually be if someone has tried to get in and failed but alerts can also be when someone has successfully signed-in from unfamiliar locations.

There’s barely a day that goes by without some company, app or website suffering a data breach – from Adobe to Dungeons and Dragons. These breaches can include phone numbers, passwords, credit card details and other personal information that would let criminals steal your identity, among other threats. Companies should be quick to tell you if they’ve been compromised, but using a breach notification service can also give you a heads-up. Haveibeenpwned and F-Secure’s identity checker will tell you about old data breaches but can also alert you to new cases where your details are swept up in compromised accounts.

Take back control

Once you know that your account has been hacked, that’s when the hard work begins. Regaining control of an account may not be straightforward – depending on who has access to it – and there’s a good chance it will involve a lot of admin. Anything from telling everyone you know that your email has been compromised to dealing with law enforcement.

First of all, you should get in touch with the company that owns your account. Every firm will have their own policies, procedures and recovery steps when it comes to compromised accounts – these can easily be found through an online search. (Facebook’s compromised account tool is here; Google’s is here; and Netflix’s is here).

When recovering a compromised online account you’re likely to go through different steps depending on whether you can still access it or not. If you can access the account companies will often ask how it was compromised and provide suggestions on steps to take. If you can’t access it you will likely be asked to provide more information about how the account was used (previous passwords, email addresses, security questions, and more). If a person or a group claims to have accessed your account and messaged you about it, you shouldn’t click on any links they send as these may be false claims and further attempts to access personal information.

Account recovery through the company where you’ve been hacked is the first step in taking back control. You should make sure that all apps and software you use (on phone and desktop) are up to date. What other action you take is specific to what was compromised. For instance, if you can get back into a hacked email account it is worth checking the settings to make sure they’ve not been manipulated. A setting to automatically forward all your emails to another account may have been turned on, for example.

You should change the password of the compromised account and any other accounts that use the same password (more on that later) and get in touch with anyone who may have been impacted by the hack. For instance, if messages have been sent from your Instagram account or you’re forced to create a brand new social media account, you may need to let friends and family know the details of the new account or explain what the random messages were about.

If appropriate you can also report hacking to law enforcement bodies. In the UK, you can send details about cybercrime and identity theft to ActionFraud. Cases of harassment can be reported to the police.

Secure everything

The best way to reduce your chances of being hacked is to limit your personal attack surface. The better your online hygiene is to begin with, the less chance you have of being compromised. (Although some attacks will always happen; particularly those from sophisticated actors who are going after specific targets).

“Information on you is key to a successful attack so minimising your available private data online should push the attacker onto the next less fortunate victim,” Moore says. If your accounts have been compromised once, and are being attacked by an organised group, there’s a greater chance you may be targeted again.

When you’re thinking about your online presence you should take into account how much information you’re proactively putting out there. “What I tell people is: Google yourself, lock yourself down, make it harder to access information about you,” Eva Galperin, the director of cybersecurity at the Electronic Frontier Foundation previously said. “When you post your photos to Instagram, or you make posts to Facebook, or you tweet something about your location, people can take that stuff, put it into another context, and suddenly you have been doxed. What people can really give away about you is the stuff that you’ve already given away about yourself.”

Practically, there’s a lot that can be done to shore-up online accounts. Everyone should be using a password manager to create and hold unique, strong passwords. Nobody should be using the same password across multiple websites, even if you perceive your risk of being hacked to be low.

If you’ve been hacked on one account this should be the motivation you need to check the other online accounts you use: update passwords and check security settings. When updating accounts you should also attempt to use complex security questions where possible. The answers should be something that only you know.

While you’re in the mindset of updating passwords across your accounts also take some time to consider the old zombie accounts you no longer use. What information is stored in that old Hotmail account you never use?

As well as a password manager, multi-factor authentication (MFA) should be turned on for as many sites and services as possible. This is one of the most effective ways to secure your accounts from hackers. The most common type of MFA is two-factor authentication where another piece of information, on top of your password, is required to login to a service. Most commonly this is an SMS message, authenticator app, or physical security key. A list of websites and apps supporting 2FA can be found here.

For people with the highest threat levels there are a number of extra steps that can be taken. To increase online privacy and anonymity you can use a VPN, Tor or Google’s Advanced Protection programme.

Matt Burgess is WIRED’s deputy digital editor. He tweets from @mattburgess1