You’ve been hacked and I know how you feel. It sucks and I’ve been there. Once you’re done feeling sorry for yourself, you need to start protecting yourself. Whether it’s as simple as your email password being stolen or as devastating as an identity theft, it’s important that you act fast. Here is a step-by-step guide for what to do when you’ve been hacked.
Last month, I woke up one morning to find a bunch of authentication texts from Google asking if I had forgotten my password.
Instead, I quickly discovered that my email had somehow been hacked and Google had shut down account access when they couldn’t reach me for verification.
I breathed a sigh of relief until later that morning when my bank sent me an email saying that they noticed some suspicious activity. I was beginning to get quite nervous.
Less than two hours later, my phone company sent me a text alerting me to fraudulent activity on my account.
At that point I was in full freak-out mode.
When it comes to hacking and identity theft, speed is key.
When it comes to hacking and identity theft, speed is key. Hackers know they have limited time to take advantage of their new-found account access so they often make quick work of your identity.
What I learned that day – and have continued learning since – are the steps that I had to take to lock down my accounts, secure my identity and reset my life after being hacked.
I hope this can be helpful for you as well.
Step #1: Immediately Change Your Passwords
After finding that my email had been hacked, the very first order of business for me was to change my secure password.
As easy as that may sound, because Google had locked down my Gmail account, it was actually quite difficult.
Thankfully, I had listed a recovery email and verified my phone with Google, so after about 5-10 minutes of resetting the account and creating a new password using my favorite password manager software, I was squared away.
STOP HERE: Whatever account has been hacked, you need to change the password right now.
Make sure your new password is even better than your last, and use this password security checker to verify. If for some reason changing the password is not possible, you need to call the company and freeze the account.
Step #2: Quickly Assess the Situation (& Assume the Worst)
At this point you should stop and quickly assess what has happened.
Try to imagine what could have happened to determine what you need to do next. For example:
- Did you use this password elsewhere? If you’re the kind of person who recycles the same password in multiple places, you might have some work to do. If the hacker somehow got a hold of your email and password, they will immediately find your other accounts and start trying that password. As you go through, make sure you use this opportunity to create the most secure password possible for each account.
- What kind of information did your account have? After my email was hacked, I didn’t realize that the hacker had access to my social security number until my bank alerted me of a possible credit fraud. Over the years of emailing my tax documents to accountants (why did I do that?!), I forgot that my SSN was probably an easy grab for the hacker.
- Are there any changes to the account? After my email was hacked, I immediately looked at my sent mail as well as my account settings to make sure that the hacker hadn’t authorized another account to send or receive my mail. With my bank and phone company, I called to make sure no changes had been made in the past 24 hours.
It’s stressful to have to think through all of this.
Trust me, I know.
Still, it’s very important that you take the time. I would even suggest calling a trusted friend to ask them to help you think about what you should be doing next.
Step #3: Create Fraud Alerts for Your Credit
I don’t care if the account that got hacked was your bank account, email account or your shopping account at Amazon. Setting up an account fraud alert with the credit bureaus is a no-brainer.
The first thing I did was call my bank (Chase) to ask the details behind the security alert. They told me about a credit pull that took place with another bank in another state.
When I called the other bank (Citibank), they confirmed that somebody had opened an account using my social security number…
…and it had been approved!
After identity verification, we were able to cancel that account without issue. Thankfully, I had caught this fast.
Click to Create a Fraud Alert on:
I then spent 20 minutes online setting up an account fraud alert with all three of the credit bureaus. This alert means that any credit applications I make in the future will be subject to even further scrutiny and verification.
An alert will make it very hard (but not impossible) for you to open a new credit card or get a loan, but it will also eliminate any threat of your identity being used for further harm.
UPDATE: While applying for a new credit card recently, because of the fraud alert, I had to verify myself in multiple ways before they would issue the new credit. It took an extra 10 minutes, but it still worked!
They say you can set up the alert with just one bureau and they will alert the other two.
Honestly, these credit bureaus don’t seem to be very organized (I called them), so I recommend just setting up an alert for all three at the same time.
The account alert lasts for 90 days, at which point you can let the alert lapse or you can renew it for another 90 days.
Step #4: Go Back and Set Up 2-Factor Authentication
Now that you’ve changed your passwords, assessed the situation and set up account alerts, the next step is to double up on your account security to make sure the ordeal can’t get worse.
If you haven’t already done this, make sure you activate 2-step authentication for all of your accounts. It’s a bit of an annoyance, I know, but the security is worth the effort, I promise.
Two factor authentication is becoming an option for many online accounts including Facebook, Google, Twitter and many more. It takes many different forms, but usually looks like one of the following:
- 2-Factor Authentication via Text Message: The most common form of 2-factor authentication is the text message. You log into your account with your password and are then sent a text message with a numeric pass code that you must enter to ensure it is you. Of these three listed options, text message 2FA verification is the least secure.
- 2-Factor Authentication via Mobile App: A number of applications and websites rely on the Google Authenticator app (available for iOS and Android) for 2-factor authentication. This app generates a new key every 20 seconds or so and you must open the app and type in the numeric code after entering your password.
- 2-Factor Authentication via Secure Key: The newest and most secure method for 2-factor authentication is what’s known as a “secure key”. This USB or Bluetooth key can be kept on your key chain and automatically lets your computer or mobile device know that you are the real you. I’ve written about my experience using the Google Titan Security Key here.
Whichever method you choose, I recommend you activate this 2-factor authentication for every account that will allow you to do so.
You can either look in your account setting or search Google for “how to set up 2-factor authentication for ________.”
Step #5: Monitor Your Accounts Closely for the Next Month
The final step here is to monitor all your accounts like a hawk for the next month or two.
I’m not just talking about the account that was hacked – you should be monitoring ALL accounts for the next month.
This should be done in a number of different ways:
- Get Your Free Credit Report: Each credit bureau is required to give you one free credit report per year, so take advantage of yours now. Check through to make sure that there isn’t any information that you don’t recognize.
- Tell Your Friends/Family to be on Alert: Tell them about being hacked so if they get weird social media requests from you or a fishy phone call, they know to be careful about what kind of information they give. They should also tell you about it.
- Consider an Identity Monitoring Service: Although there’s a cost involved here, identity monitoring companies such as Lifelock provide a valuable service (use this link to get 10% off your first year of monitoring service). After a month getting bored of monitoring your accounts, you’ll more than likely start to forget about having been hacked. Lifelock will maintain vigilant monitoring after you’ve long forgotten about it (and hackers know that).
Final Thoughts | What To Do When You’ve Been Hacked
Don’t freak out.
You’re not the first person who’s been hacked and you certainly won’t be the last. Take a deep breath and follow the steps outlined in this guide.
- Immediately change the password of the hacked account. Follow suit with other accounts if you have the time.
- Assess the situation and determine what needs to be done.
- Create a fraud alert with the credit bureaus.
- Go through all your accounts to set up 2-factor authentication.
- Finally, when all of that is done, monitor your accounts for any suspicious activity.
There’s no way to escape the sick feeling of being violated and it sucks to know that this hacker likely won’t get caught for what they’ve tried to do to you.
However, these steps will give you confidence that your accounts are secure and your identity is safe. The tools listed here as well as other recommended online security resources will help you take back control of your privacy and identity.
What was your experience with being hacked? Would you add any more suggestions to this list?