You’ve been hacked and I know how you feel. It sucks. Once you’re done feeling sorry for yourself, you need to start picking up the pieces and fixing things. Whether it’s as simple as your account password being stolen or as devastating as an identity theft, you must act fast. Here is a step-by-step guide for what to do when you’ve been hacked.
Key Takeaways
- Hacking and identity theft require swift action. This includes changing sensitive passwords immediately, assessing potential exposure, and setting up credit freezes.
- Check all accounts carefully for unauthorized changes and monitor them closely for suspicious activity over the next month.
- Set up two-factor authentication (2FA) on your email account, and use secure methods like authenticator apps or physical security keys.
- Use a password manager to create unique passwords for all accounts to limit exposure if one is compromised.
I woke up one morning to find a bunch of authentication texts from Google asking if I had forgotten my password.
I hadn’t.
Instead, I quickly discovered that my email had somehow been hacked and that Google had shut down my access when they couldn’t reach me for verification.
I breathed a sigh of relief until later that morning when my bank sent me an email saying that they noticed some suspicious activity. I was beginning to get quite nervous.
Less than two hours later, my phone company sent me a text alerting me to fraudulent activity on my account.
At that point, I was in full freak-out mode.
When it comes to hacking and identity theft, speed is key.
When it comes to hacking and identity theft, speed is key. Hackers know they have limited time to take advantage of their new-found account access so they often make quick work of your identity.
What I learned that day – and have continued learning since – are the steps that I had to take to lock down my accounts, secure my identity, and reset my life after being hacked.
Here are the 5 steps to take after you’ve been hacked:
I hope this can be helpful for you as well.
Note: Some of the links in this article are affiliate links, which means that at no extra cost to you, I may be compensated if you choose to use one of the services listed.
Step #1: Immediately Change Your Passwords
After finding that my email had been hacked, the very first order of business for me was to change my secure password for my most sensitive logins.
As easy as that may sound, because Google had locked down my Gmail account, it was actually quite difficult (thankfully, I still had access to the email I had created as an alternative to Gmail).
Thankfully, I had listed a recovery email and verified my phone with Google, so after about 5-10 minutes of requesting the password reset link and creating a new password using my favorite password manager software, I was squared away.
STOP: Do This Now
Go through and change the passwords to your most sensitive accounts (banking, email account, investment) as well as to the one that was hacked (if possible).
Make sure your new password is even better than your last. If you’re not using a password manager to help you create these stronger passwords, here is a comparison of my recommended password managers.
If for some reason changing the password is not possible, you need to call the company and freeze the account.
Once you’ve changed your password, it’s also a good idea to go through these 5 steps to further secure your Gmail account. You may want to finish working to fix your current hacking situation, but you’ll eventually want to go back and secure your account.
Step #2: Quickly Assess the Situation (& Assume the Worst)
At this point, you should take a moment, breathe, and try to assess what has happened.
Take a short walk or call a friend if you need to. You need a level head to start thinking through implications and worst-case scenarios.
Try to imagine what could have happened to determine what you need to do next. For example:
- Did you use this password elsewhere? If you’re the kind of person who recycles the same password in multiple places, you might have some work to do. If the hacker somehow gets a hold of your email and password, they will immediately find your other online logins and start trying that password. You need to start changing your passwords for your most sensitive accounts immediately, and you don’t want them to be the same password. Creating secure passwords via a good password manager comes in handy in situations like these.
- What kind of information did your archive have? After my email was hacked, I didn’t realize that the hacker had been able to gain access to my social security number until my bank alerted me of possible credit fraud. Over the years of emailing my tax documents to accountants (why did I do that?!), I forgot that my SSN was probably an easy grab for the hacker.
- Are there any changes to the account? After my email was hacked, I immediately looked at my sent mail as well as my settings to make sure that the hacker hadn’t authorized another user to send or receive my mail. With my bank and phone company, I called to make sure no changes had been made in the past 24 hours.
It’s stressful to have to think through all of this.
Trust me, I know.
Still, you must take the time as you figure out what to do now that you’ve been hacked. This is your opportunity to minimize the damage and make sure that nothing bad happens.
Try to use this as an opportunity to create a better password profile and better personal security practices.
Step #3: Create Fraud Alerts for Your Credit
I don’t care if the account that got hacked was your bank, your email, or your shopping log-in at Amazon.
Setting up a credit freeze or fraud alert with the credit bureaus is a no-brainer.
The first thing I did was call my bank (Chase) to ask for the details behind the security alert. They told me about a credit pull that took place with another bank in another state.
When I called the other bank (Citibank), they confirmed that somebody had opened an account using my social security number…
…and it had been approved!
After identity verification, we were able to cancel that account without issue. Thankfully, I had caught this fast.
Click to Create a Credit Freeze on:
I then spent 10 minutes online creating a credit freeze with all three of the credit bureaus.
A credit alert means that any future credit applications made using my information in the future will be subject to even further scrutiny and require extra verification.
An alert will make it very hard (but not impossible) for you to open a new credit card or get a loan, but it will also eliminate any threat of your identity being used for further harm.
The Hassle of Credit Freezes
While applying for a new credit card recently, because of the freeze, I had to verify myself in multiple ways before they would issue the new credit. It took an extra 10 minutes, but it still worked!
Unfortunately, you can’t set up the freeze with just one bureau…you need to go through each of the big three to make sure it’s been set up individually.
Honestly, these credit bureaus don’t seem to be very organized (I called them), so I recommend just setting up an alert for all three at the same time. It’s definitely not going to hurt you to do this.
The credit freeze lasts as long as you want it to, so you’ll have to go in and “thaw” the freeze whenever you want to start using more credit again.
IMPORTANT: Identity Theft Victims
If you’ve been hacked and you suspect that your identity has been stolen or is being used maliciously, there are two extra steps you should take.
First, you’ll want to jump over to IdentityTheft.gov to report the theft and get help developing a recovery plan.
Second, you’ll want to set up credit monitoring, which I will address below in step 5. Various companies do this, but I use and recommend IdentityForce
Step #4: Go Back & Set Up 2-Factor Authentication
Now that you’ve defensively changed your passwords, assessed the situation, and set up a fraud alert, you now need to go on the offensive.
You need to take the steps necessary to future-proof yourself from being hacked again.
If you haven’t already done this, make sure you activate 2-step authentication for all of your online logins. It’s a bit of an annoyance, I know, but the security is worth the effort, I promise.
Two-factor authentication (2FA) is becoming a standard security feature for many online accounts. This is true whether you’re trying to change the privacy settings on Facebook or you’re locking down Google or Twitter.
It takes many different forms, but usually looks like one of the following:
- Two Factor Authentication via Text Message: Formerly the most common form of authentication, SMS authentication is now considered the least secure. You log into your account with your password, which then sends a text message with a numeric passcode that you must enter to ensure it is you. Of these three listed options, text message 2FA verification is the least secure
- 2-FA via Mobile App: A number of applications and websites rely on the Google Authenticator app (available for iOS and Android) for 2-factor authentication. This app generates a new key every 20 seconds or so and you must open the app and type in the numeric code after entering your password. If you need help, here is my tutorial for how to set up Google Authenticator.
- 2-FA via Secure Key: The newest and most secure method for 2-factor authentication is what’s known as a “secure key”. This USB or Bluetooth key can be kept on your key chain and automatically lets your computer or mobile device know that you are the real you. You can learn how to set up a Yubico 2FA key here.
Whichever method you choose, I recommend you activate this 2-factor authentication for every login that will allow you to do so.
You can either look in your settings or search Google for “how to set up 2-factor authentication for ________.”
Step #5: Monitor Your Accounts Closely for the Next Month
The final step here is to monitor all your bank, email, and social media accounts login credentials like a hawk for the next month or two.
I’m not just talking about the account that was hacked – you should be monitoring ALL of them for the next month.
This should be done in a number of different ways:
- Get Your Free Credit Report: Each credit bureau is required to give you one free credit report per year, so take advantage of yours now. Check through to make sure that there isn’t any information that you don’t recognize.
- Tell Your Friends/Family to be on Alert: Tell them about being hacked so if they get weird social media requests from you or a fishy phone call, they know to be careful about what kind of information they give. They should also tell you about it.
- Consider an Identity Monitoring Service: Although there’s a cost involved here, identity monitoring companies such as IdentityForce provide a valuable service (which includes $1 million in identity theft protection). After a month of getting bored of monitoring your accounts, you’ll more than likely start to forget about having been hacked. IdentityForce will maintain vigilant monitoring after you’ve long forgotten about it (and hackers know that).
Final Thoughts | What To Do When You’ve Been Hacked
You’re not the first person who’s been hacked and you certainly won’t be the last. Take a deep breath and follow the steps outlined in this guide.
- Immediately change the password of the hacked login. Follow suit with others if you have the time.
- Assess the situation and determine what needs to be done.
- Create a fraud alert with the credit bureaus.
- Go through all your online accounts to set up 2-factor authentication.
- Finally, when all of that is done, monitor your financial accounts and email for any suspicious activity.
There’s no way to escape the sick feeling of being violated and it sucks to know that this hacker likely won’t get caught for what they’ve tried to do to you.
However, these steps will give you confidence that your online logins are secure and your identity is safe. The tools listed here as well as other recommended online security resources will help you take back control of your privacy and identity.
