"Hacked" can mean two very different problems: an account takeover (someone got into an online account) or a device compromise (malware, spyware, or a stolen session on a phone or computer). The fastest way to get control is to look for concrete signals and respond in the right order.
If you only do one thing: secure your email inbox first. Email resets most accounts. If your inbox is compromised, every other fix is temporary.
Triage: decide what kind of incident this is
Start with the highest-impact questions. Answering these quickly tells you where to spend effort.
| Question | If yes, suspect | First move |
|---|---|---|
| Are there unauthorized charges or transfers? | Financial fraud | Call your bank or card issuer now, freeze or lock what you can, preserve evidence |
| Do you see new logins, new devices, or password resets you did not request? | Account takeover attempt | Secure email, change passwords from a trusted device, revoke sessions |
| Is your device behaving oddly (popups, redirects, new "security" apps, unknown admin tools)? | Device compromise | Disconnect, check for spyware, then change passwords from a clean device |
| Did someone ask you for a one-time code or "verification"? | Phishing or fake support | Assume compromise in progress, secure accounts, stop responding |
If any money flow is involved, treat it as urgent. You can clean up accounts after you stop financial loss.
Fast checks that produce evidence
Evidence is not about blame. It is about choosing the right fix and proving what happened when you dispute charges or request support.
- Security emails: search your inbox for password reset emails, login alerts, and new-device notices. Check trash and spam.
- Account activity: review recent logins, signed-in devices, and active sessions on your most important accounts.
- Account changes: look for new recovery emails, new phone numbers, new forwarding rules, and new connected apps.
- Payments: check bank and card statements, plus payment apps and subscriptions for unauthorized charges.
Rule of thumb: a password reset email you did not request is not "noise." It is a signal that someone is probing your recovery path.
Start with the control plane (email, phone, password manager)
Most recoveries fail because the attacker keeps re-entering through email, phone number takeover, or a compromised device session.
1) Secure your email inbox
- Change the email password from a trusted device.
- Enable two-factor authentication (2FA) on the email account.
- Review forwarding rules and filters. Remove anything you did not create.
- Review connected apps and sign-in history. Sign out unknown sessions.
2) Secure your phone number if SMS recovery is involved
If you rely on SMS codes, your carrier account becomes part of your recovery surface. If you have signs of phone-number hijacking, see SIM swapping.
3) Secure your password manager (if you use one)
If a password manager vault is compromised, password changes will not stick. Protect it with strong authentication and review trusted devices.
Account takeover checks (what to look for, and what to do)
Account takeover usually shows up as either unauthorized access or unauthorized changes. The response should remove access and prevent re-entry.
High-signal takeover indicators
- New devices or sessions you do not recognize
- Password reset emails you did not request
- Recovery email or phone number changed
- New connected apps or delegated access
- Messages sent that you did not write
Containment sequence (accounts)
- Secure email first (password + 2FA + forwarding rules).
- Change the compromised account password to a unique password.
- Revoke sessions (sign out other devices, remove unknown devices).
- Remove persistence (connected apps, delegated access, recovery changes).
- Notify contacts only if needed to stop active scams from your account.
If the attack started with a message asking you to log in or share a code, use how to identify scam emails to prevent the same path from working again.
Device compromise checks (when the device is the problem)
If you keep getting re-compromised after changing passwords, or you see persistent redirects and new "security" prompts, treat it as a device problem. Malware can steal sessions and new credentials immediately.
Signs your device may be compromised
- Browser redirects you cannot explain
- New extensions or profiles you did not install
- Unusual background activity, new admin tools, or unknown device-management profiles
- Repeated login prompts across multiple services
Start with how to detect spyware. If you confirm compromise, change passwords only after you are confident you are using a clean device.
Financial checks (stop loss first)
If you see unauthorized charges, focus on stopping further loss and preserving evidence. The next steps depend on the payment method and provider.
- Contact your bank or card issuer immediately and ask about freezes, locks, and disputes.
- Change passwords on payment apps and email, and revoke sessions.
- Preserve evidence: screenshots, receipts, chat logs, and timestamps.
- If the fraud is broader than a single account, use IdentityTheft.gov to organize documentation: IdentityTheft.gov.
For fraud reporting in the U.S., ReportFraud.ftc.gov is a standard entry point: ReportFraud.ftc.gov. For internet crime reports, IC3 is commonly used: IC3 complaint portal.
When you should escalate beyond self-help
Self-remediation is reasonable for many incidents. Escalate when the blast radius is large or you cannot stabilize access.
- You cannot regain email access or the attacker changed recovery options.
- Unauthorized transfers keep happening.
- You suspect spyware or a targeted threat.
- The compromise affects business accounts, admin consoles, or shared infrastructure.
If you want a step-by-step containment flow that assumes you are in the middle of an incident, use been hacked? what to do first. If you need a long-term baseline once things are stable, use how to protect your online information.
Checking whether you have been hacked is useful only when it leads to the right sequence of actions. Secure the control plane, remove attacker sessions, and stop password reuse. That is what turns uncertainty into control.
Once the control plane is stable, the rest becomes measurable: either the suspicious signals stop, or you have a clear path to isolate a compromised device or account.
The goal is not perfect certainty. The goal is preventing re-entry and stopping harm while you regain reliable access.