I Got Hacked: A Step-by-Step Recovery Guide (What to Do in the First 24 Hours)
Your heart rate spikes. An unfamiliar login notification. A payment you didn't make. A text from a friend asking if you sent them a weird message.
You've been hacked.
The moment you realize it, panic is the natural response. But panic is the worst thing you can do. Every second counts, and the steps you take in the next 24 hours determine whether the hacker has brief, limited access or complete control of your digital life.
This guide walks you through exactly what to do, in order, starting now.
Key Takeaways
• Secure your email account first—it's the master key to everything else
• Change your most critical passwords (email, banking, social media) immediately, from a clean device if possible
• Enable two-factor authentication on all accounts, especially financial ones
• Check your accounts for unauthorized activity, changed contact details, and connected apps
• Report the breach to Action Fraud (UK), your bank, and relevant companies within 24 hours
• Document everything—dates, times, screenshots, transaction details
• After immediate crisis management, build a resilient system with offline backups and recovery codes
Don't Panic—But Move Fast
You need to do two things simultaneously: respond quickly and think clearly. The hacker's window of opportunity shrinks with each hour you take action, but hasty mistakes can make things worse.
Here's the reality: if a hacker has access to your email, they can reset passwords on nearly every service you use. They can change recovery email addresses and phone numbers. They can lock you out of your own accounts. The email account is the skeleton key.
But they don't have unlimited time. Most attackers move fast—they try to steal money, extract data, or establish persistent access. Once you lock them out, they typically move on to easier targets. You're not necessarily in a multi-week battle. You're often in a 24-48 hour critical period.
Stay calm. Follow this guide in order. You can recover from this.
Hour 1: Secure Your Accounts
Step 1: Access your email from a device you trust
Do not check email on public wifi. Do not use the device that might be compromised. If possible, use a personal computer at home or a phone you're confident is clean.
If you only have one device: turn off wifi and mobile data, restart the device completely, then turn on wifi from a trusted network (not a public one).
Step 2: Change your email password
This is the priority. Your email is the master key. If the hacker still has access, they can change your other passwords faster than you can secure them.
• Go to your email provider's login page directly (type the URL manually—don't click a link)
• Log out of all sessions
• Change your password to something completely new (at least 16 characters, random, unlike anything you've used before)
Use a password manager to generate and store this. If you don't have one, write it down on paper in a secure location—not on your phone.
Step 3: Check email recovery options
Go to your email's account recovery settings. Check:
• Recovery email address—is it still yours, or has the attacker added their own?
• Recovery phone number—same check
• Linked accounts—has the attacker added their phone or email?
Change anything suspicious immediately.
Step 4: Enable two-factor authentication on email
Your email provider offers options: SMS verification, authenticator app, or security keys.
SMS is faster to set up now, but authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) are more secure. Do this now:
• Choose your 2FA method
• Complete the setup
• Save your backup codes somewhere safe (physical paper or a password manager, not just on your phone)
Step 5: Change passwords on financial accounts
Your bank account and payment services (PayPal, Wise, crypto exchanges) are next. These are likely targets.
• Log in to each account (again, from a trusted device on trusted wifi)
• Change the password
• Enable 2FA if available
• Check for unauthorized transactions
If you see fraudulent transactions, don't delete them yet. Take screenshots first. You'll need evidence when reporting to your bank.
Step 6: Change passwords on social media and communication apps
Facebook, Instagram, LinkedIn, WhatsApp, Telegram—any platform that holds personal information or could be used to impersonate you:
• Change passwords
• Check connected apps and revoke access to anything suspicious (Settings > Apps > Connected Apps, then remove unfamiliar entries)
• Enable 2FA
Hour 2-4: Check the Damage
Now that you've locked down your accounts, assess what was accessed and what the hacker might have done.
Check your bank accounts
Log into your bank (both online and via mobile app). Look for:
• Unauthorized transactions (anything you didn't make)
• Changed payee details (has someone added a new bank account as a payment destination?)
• Changed contact details (updated phone number or email—sometimes done so you don't see alerts)
• Unauthorized transfers or standing orders
Take screenshots of everything suspicious. Don't try to reverse transactions yet—document first.
Check your credit report
Visit Clearscore.com, Experian.co.uk, or Equifax.co.uk and check your credit file. Look for:
• Accounts opened in your name that you didn't open
• Hard inquiries from lenders you didn't contact
• Changed contact details
If you see fraud, place a fraud alert on your credit file (all three providers offer this). This makes it harder for attackers to open new accounts in your name.
Check for connected services
Attackers often link compromised accounts to their own accounts, creating backdoors:
• Google/Apple: check connected devices and sign out of unfamiliar ones
• Amazon: check login activity and connected apps
• PayPal/Stripe: check connected bank accounts and authorized applications
• Social media: check where you've authorized third-party apps to post or access your data
Revoke access to anything suspicious.
Check your email forwards
Go to your email's forwarding settings. Has the attacker set up an email forward that sends your incoming mail to their address? This is a common move—they can read your emails even after you change your password.
Delete any forwards you didn't create.
Check recovery codes and backup emails
Many services offer backup codes for account recovery. Log into important accounts and check whether new codes were generated or new recovery options were added. These might be the attacker's backdoors.
Hour 4-12: Report and Document
Contact Action Fraud (UK's official reporting body)
Go to actionfraud.police.uk and report the incident. You'll get a unique reference number. Save it. You'll need it when talking to your bank and insurance companies.
Reporting doesn't guarantee immediate action, but it:
• Creates an official record
• Helps authorities identify patterns in hacking campaigns
• Supports you if there are follow-up issues
Contact your bank
Call your bank's fraud line (the number on the back of your card). Explain:
• What happened
• When you discovered it
• Which transactions were unauthorized
• That you've changed your password and enabled 2FA
Your bank will:
• Reverse fraudulent transactions (usually within days to weeks)
• Issue a new card if necessary
• Investigate the breach
• Advise you on next steps
Contact other affected services
If the hacker accessed:
• Your email provider: report the unauthorized access
• Social media accounts: report the compromise and request a security review
• Cryptocurrency exchanges: report unauthorized trades and transactions
• Any online retailer where you have saved payment info: report and ask them to audit for unauthorized orders
Document everything
Create a detailed log:
• Date and time you discovered the breach
• Which accounts were accessed
• What the attacker did (transactions, password changes, etc.)
• Screenshots of evidence
• Reference numbers from police and bank reports
• Timeline of your recovery actions
Save this in multiple places: cloud storage (after it's secure), email to yourself, and printed copy at home.
Hour 12-24: Harden Your Digital Life
By now, you've stopped the bleeding. Your critical accounts are locked down. The hacker's immediate damage is documented and being addressed.
The final hours of this 24-hour window are about preventing this from happening again.
Review your passwords across all accounts
You've changed critical passwords. Now go through everything else:
• Work email and accounts
• Subscription services
• Retail accounts
• Hobby or special-interest accounts
• Any account with saved payment info
Use a password manager to generate unique, strong passwords (12+ characters, mixed case and numbers) for everything. This is the most important security habit you can develop.
Enable 2FA everywhere possible
Email, banking, social media, cloud storage, password manager, work accounts—anywhere that offers two-factor authentication, turn it on. Authenticator apps are more secure than SMS, but SMS is better than nothing.
Save your backup codes in a password manager or print them and store physically.
Check your phone and computer for malware
The hacker might have installed malware on your devices. Run scans:
• iPhone: go to Settings > Privacy > Apple Advertising ID, or use Apple's built-in security app
• Android: download Malwarebytes (free version) and run a full scan
• Windows: download Malwarebytes or Windows Defender and run a full scan
• Mac: use Activity Monitor (Cmd+Space, type Activity Monitor) and check for suspicious processes
If you find malware, it's often safer to back up your important files and do a clean install of your operating system rather than trying to remove malware piece by piece.
Review connected apps and devices
• Google/Apple accounts: check connected devices and revoke any you don't recognize
• Cloud storage (Dropbox, Google Drive, OneDrive): check active sessions and devices
• Work accounts: check connected VPN sessions and devices
• Social media: check active sessions
Create a recovery plan for future emergencies
Print and store physically:
• A list of your most important accounts with usernames (not passwords)
• Instructions for accessing your password manager
• Your email address and recovery phone number
• Reference numbers for police reports and bank contacts
This "recovery kit" sits at home. If you're hacked again, you can reference it without logging into anything online.
Why Offline Backup Matters
Most people don't think about offline backups until something goes wrong. But data loss or account compromise shows why they matter.
When your accounts are compromised, your cloud backups might be too. An attacker with email access can change your cloud storage password and lock you out. You need data you can access and recover without relying on internet-connected services.
A physical backup of critical documents—important emails saved as PDFs, financial records, insurance details—gives you a recovery point that can't be hacked. It's also legally valuable. In disputes with banks or service providers, you have documentation that doesn't depend on accessing their servers.
Documents should be:
• Stored in a fire- and water-resistant location
• Physically secure (locked drawer or safe)
• Backed up to an offline USB drive
• Updated quarterly or when significant events occur
https://offlyne.world/ specifically designed for this are available, but even a lockable filing cabinet with regular backups is better than cloud-only storage.
Building Your Recovery Kit
After the crisis is over, build a kit that makes future recovery faster and easier.
The digital elements:
• A password manager with all your passwords
• Backup codes for 2FA, stored securely (separate from your password manager)
• A list of your critical account usernames and recovery contacts
• A USB drive with copies of important documents, photos, and files
The physical elements:
• Printed copies of insurance documents, ID, and financial account details
• Printed backup codes
• A copy of your recovery plan
• Contact information for your bank, insurance, and utility providers
https://offlyne.world/ bundle USB backup tools, offline storage, and physical documentation protection together, designed specifically for scenarios like this.
FAQ
How long does recovery actually take?
The first 24 hours are critical—locking down accounts and stopping active damage. But full recovery (reversing fraudulent transactions, credit report clean-up, re-establishing trust) can take weeks to months. Banks often take 10-20 days to reverse fraudulent transactions.
Should I change my password again if I'm worried I chose a weak one?
Yes, but not immediately. Once you've changed it and locked down 2FA, you have time. Change it again in a few days if you're not confident in it.
Can a hacker regain access after I've locked them out?
Unlikely, if you've done everything above. But possible, if:
• Your password is weak and they guess it again
• You use the same password on multiple sites
• Your phone is still infected with malware
• You re-use recovery codes
This is why the final step is building a resilient system with strong passwords, 2FA, and offline backups.
Do I need to replace my credit cards?
Your bank will advise. If fraudulent transactions occurred on your debit card, yes. If only your online account was compromised, maybe not. Follow your bank's recommendation.
Should I be worried about identity theft?
Place a fraud alert on your credit file (Clearscore, Experian, Equifax all offer this), which makes it harder for someone to open accounts in your name. Monitor your credit report for suspicious activity. But most hacks aren't followed by identity theft. You can reduce the risk significantly by the steps above.
What if I discover a breach months later?
The same 24-hour process applies, but it's even more critical. An attacker who's had access for months might have:
• Established persistent backdoors
• Stolen extensive data
• Done damage that isn't immediately obvious
Be more aggressive: change passwords, enable 2FA, consider replacing devices, and check your credit report carefully. Contact Action Fraud immediately.