The moment you realise your account has been hacked, your instinct is to panic. You might freeze, unsure where to start or what to do first. That panic is completely understandable — but it is also exactly what makes the situation worse. The few minutes you spend paralysed are minutes the attacker is using to cause more damage. What you need right now is a clear, methodical plan. This is it.
Before anything else, take one breath and understand this: account compromise is recoverable. Millions of people have been in exactly this situation and come through it. The steps below are not complicated. You do not need technical knowledge. You just need to work through them in order, without skipping anything.
Step 1: Secure your email account first
Your email account is the master key to everything else in your digital life. Every other account you own — your bank, your social media, your shopping accounts — can be accessed by whoever controls your inbox through password reset emails. This is why email is always the first priority.
Go to your email provider directly by typing the address into your browser (do not click any links). Change your password to something long, unique, and randomly generated if possible. Immediately enable two-factor authentication if it is not already on — go to your account security settings and follow the instructions to connect an authenticator app. Then check your login activity and sign out of all other active sessions.
While you are in your email settings, check for any forwarding rules or filters you did not create. Attackers frequently set these up to continue receiving your emails even after you change your password. Delete anything you did not configure yourself.
Step 2: Change passwords on all important accounts
Once your email is secured, systematically change the password on every account that matters: online banking and savings accounts, investment and pension portals, Apple ID or Google account, social media profiles, Amazon and other shopping sites, your work email if you use the same password anywhere, and any account that stores your payment details.
Use a different password for every single account. If you are not already using a password manager like Bitwarden, now is the moment to start. Download it, create an account with a strong master password, and let it generate unique random passwords for each service as you change them. This process typically takes 20 to 40 minutes but is worth every second.
Prioritise accounts in this order: email first, then banking, then any account linked to your payment card, then social media, then everything else.
Step 3: Enable 2FA on every important account
Two-factor authentication means that even if someone has your password, they cannot get in without a second verification code that only you can generate on your phone. After changing each password, immediately enable 2FA on that account before moving to the next one. Do not skip this step — it is the difference between an account that is secured and an account that is merely relocked with a new key that could be stolen again.
Use an authenticator app like Authy for all accounts that support it. It is free, easy to set up, and dramatically more secure than SMS codes. For your highest-value accounts — email and banking — consider a hardware security key as a secondary option.
Step 4: Check for unauthorised activity on every account
On each account you have secured, look through the recent activity log. Most services provide this in their security or account settings. You are looking for: emails sent from your account that you did not send, purchases or payments you did not authorise, profile or contact detail changes, new devices added to your account, and any connected apps you did not install yourself.
If you find unauthorised purchases on your bank account or credit card, contact your bank immediately. Under UK banking regulations and the Contingent Reimbursement Model, you have strong grounds for reimbursement if you report promptly. Call the number on the back of your card rather than using any contact details you received by email.
Step 5: Audit connected apps and revoke suspicious access
In your Google, Apple, Facebook, and other major account security settings, find the section showing third-party apps and services that have been granted access to your account. Attackers sometimes maintain persistent access after a compromise by connecting a malicious application — even after you change your password, the app token remains valid.
Remove anything you do not recognise, anything you no longer use, and anything that seems to have more permissions than it should need. Be thorough — this step is frequently skipped and it is exactly the gap attackers rely on.
Step 6: Scan all your devices for malware
If your accounts were compromised, consider whether your device itself might be infected. Download Malwarebytes (free) on your computer and run a full scan. On your smartphone, review your recently installed apps and uninstall anything unfamiliar — pay particular attention to anything installed in the days or weeks before you noticed the problem.
On iPhone, go to Settings, then your Apple ID, then look at devices connected to your account and remove any you do not recognise. On Android, go to Settings, Security, then Device Administrators and remove anything suspicious.
Step 7: Notify the people who need to know
If your email was compromised, let your contacts know. Attackers commonly use access to an email account to send phishing messages to everyone in the address book — the messages appear to come from you, which makes them highly effective. A quick message or call to your close contacts warning them that you were compromised and that any unusual messages from you recently may not be genuine can prevent them from falling for follow-on attacks.
If personal identification information was exposed — your national insurance number, date of birth, home address, or passport details — report this to Action Fraud (actionfraud.police.uk) and consider placing a protective registration with CIFAS (cifas.org.uk), which adds a flag to your credit file warning lenders that you may be a victim of identity fraud.
Understand how it happened and prevent recurrence
Once your accounts are secured and the immediate damage is contained, spend time understanding the root cause. Check your email address at haveibeenpwned.com to see if it appears in any known data breaches. Review your recent emails for any phishing messages you might have interacted with. Consider whether you were reusing passwords that were exposed elsewhere.
Understanding the cause is not about blame — it is about making sure it does not happen again. The most common causes of account compromise are password reuse across multiple sites, clicking phishing links, and weak passwords that were guessed or cracked. Each of these has a straightforward fix: unique passwords everywhere via a password manager, and 2FA on all important accounts.