What to Do If You've Been Hacked: The 24-Hour Recovery Playbook

Updated: March 03, 2026 · 14 min read · Category: Account Protection

Discovering you've been hacked triggers immediate panic. Your email is sending messages you didn't write. Your bank shows transactions you didn't make. Your social media accounts are posting content you didn't create. Time is absolutely critical—hackers use automation to escalate compromises within minutes, draining financial accounts, stealing personal data, and locking you out permanently.

This playbook provides the exact operational steps to follow in the first 24 hours after discovering a breach. It's organized by priority and time sensitivity, designed to stop the bleeding first, then rebuild your security systematically.

[ AdSense Banner (728x90) ]

Phase 1: Triage the Primary Vector (Minutes 0-15)

The attacker usually targets your primary communication channel first—your main email account. If your email is compromised, the attacker can intercept password reset emails for every other service you use. This is why email recovery takes absolute priority.

If You Still Have Email Access

  1. Change your email password immediately from a clean device (not the device that may be infected)
  2. Log out all active sessions: In Gmail, go to Settings → Security → Your devices → Sign out of all other sessions. In Outlook: Account → Security → Sign out everywhere
  3. Check email forwarding rules: Attackers silently forward copies of all your incoming email to their address. In Gmail: Settings → Forwarding → Remove any addresses you don't recognize
  4. Check email filters: Attackers create filters to auto-delete security alerts. Review all filters for suspicious rules that delete or redirect messages

If You're Locked Out of Email

  1. Use the provider's official account recovery flow immediately
  2. Verify identity using known past passwords, trusted phone numbers, or recovery codes
  3. If recovery fails, contact Google/Microsoft support directly—they have escalation paths for compromised accounts
  4. While waiting for recovery, proceed to Phase 2 immediately
Critical: Do NOT use a potentially compromised device for recovery. If you suspect malware, use a family member's clean device, your phone (if not compromised), or a library computer instead.

Phase 2: Secure Financial Accounts (Minutes 15-60)

While your email is being secured (or while awaiting recovery), you must protect your financial assets immediately. Do not wait to see if fraudulent charges appear—assume they will.

Banking & Credit Cards

  1. Call your bank's fraud department: The number is on the back of your debit/credit card. Request an immediate hard lock on your accounts
  2. Freeze all linked cards: Both debit and credit cards associated with compromised email addresses
  3. Block outbound wire transfers: Explicitly request this with your bank
  4. Review recent transactions: Flag any unauthorized charges for dispute

Cryptocurrency Accounts

If you hold cryptocurrency, this is urgent. Crypto transactions are irreversible. Log into exchange accounts (Coinbase, Binance) immediately, change passwords, disable API keys, and enable withdrawal address whitelisting.

Payment Services

Secure PayPal, Venmo, Cash App, and any other payment processors. Change passwords and revoke any authorized applications you don't recognize. See our PayPal recovery guide.

[ AdSense Banner (728x90) ]

Phase 3: Full Credential Reset (Hours 1-3)

Now that the immediate financial bleeding is stopped, systematically rebuild your credential security. If you were reusing passwords across services (most people do), assume every account sharing that password is compromised.

Step 1: Set Up a Password Manager

If you don't already use one, this is the moment. Install Bitwarden (free), 1Password, or Dashlane. Generate a strong, unique master password (20+ characters) that you memorize and never write digitally.

Step 2: Priority Reset Order

Reset passwords in this specific order (highest impact first):

  1. Primary email (already done in Phase 1)
  2. Secondary/recovery email
  3. Banking & financial services
  4. Cryptocurrency exchanges
  5. Cloud storage (Google Drive, iCloud, Dropbox)
  6. Social media (Facebook, Instagram, Twitter/X, LinkedIn)
  7. E-commerce (Amazon, eBay—they store payment methods)
  8. All remaining accounts

Step 3: Enable 2FA on Every Account

For each account you reset, enable two-factor authentication using an authenticator app (Google Authenticator, Authy, or Microsoft Authenticator)— NOT SMS. Read our complete 2FA setup guide. SMS-based 2FA is vulnerable to SIM-swapping attacks.

Phase 4: Device Sweeping (Hours 3-12)

If the breach originated from malware on your PC, phone, or tablet, changing passwords alone won't help—a keylogger or session hijacker will simply steal the new credentials immediately.

Computer Scanning

  1. Disconnect from the internet: Prevent further data exfiltration
  2. Boot into Safe Mode: Prevents most malware from loading
  3. Run a full offline scan: Use Malwarebytes, HitmanPro, or Windows Defender Offline
  4. Check browser extensions: Remove any extensions you didn't install
  5. Check startup programs: Look for unfamiliar entries in Task Manager → Startup tab

When to Nuke and Reinstall

If any of the following are true, a clean OS reinstall is the only safe option:

  • The malware scanner detects a Remote Access Trojan (RAT)
  • You see unknown processes making network connections
  • The malware scanner cannot remove the infection
  • You suspect a rootkit (system-level compromise)

Mobile Device Checks

  • Review installed apps—remove anything you don't recognize
  • Check for device Administrator or MDM profiles (Settings → Security → Device admin apps)
  • Factory reset if you suspect spyware or stalkerware

Phase 5: Identity Protection (Hours 12-24)

If personal data was exposed (Social Security number, date of birth, address), you need to protect your identity from ongoing fraud:

  1. Place a credit freeze: Contact all three credit bureaus (Equifax, Experian, TransUnion) individually. A credit freeze prevents anyone from opening new accounts in your name. This is free.
  2. Set up fraud alerts: Request 1-year fraud alerts with each credit bureau
  3. Check haveibeenpwned.com: See which breaches your email addresses appear in
  4. File an FTC identity theft report: At IdentityTheft.gov—this creates an official record and recovery plan
  5. File a police report: Required by some banks and credit bureaus for fraud disputes
[ AdSense Banner (728x90) ]

Account-Specific Recovery Guides

We've written detailed recovery guides for the most commonly compromised platforms:

Preventing Future Attacks

The 5 Pillars of Personal Cybersecurity

  1. Unique passwords for every account: Use a password manager to generate and store random 16+ character passwords
  2. Authenticator-based 2FA: Enable on every account that supports it. Never use SMS-based 2FA as your primary method
  3. Regular software updates: Enable automatic updates for your OS, browser, and all applications
  4. Phishing awareness: Never click links in unsolicited emails or messages. Learn to identify phishing attacks
  5. Regular security audits: Review your accounts, connected apps, and security settings quarterly

Frequently Asked Questions

How do I know if I've been hacked?

Common signs include: receiving password reset emails you didn't request, being locked out of accounts, seeing login notifications from unfamiliar locations, friends receiving messages you didn't send, unexplained financial transactions, new accounts or devices appearing in your security settings, and your antivirus flagging malware.

Should I pay a ransom if my data is encrypted?

The FBI recommends never paying ransoms. Payment doesn't guarantee data recovery, funds criminal organizations, and makes you a repeat target. Instead, restore from backups, report the incident to law enforcement (FBI IC3), and consult the No More Ransom project (nomoreransom.org) for free decryption tools that may work for your specific ransomware variant.

Can hackers see everything on my phone?

If your phone is infected with spyware or a Remote Access Trojan (RAT), attackers can potentially access everything: messages, photos, contacts, location data, microphone, and camera. Signs of phone compromise include rapid battery drain, increased data usage, unusual background noises during calls, and apps you didn't install. A factory reset is the most reliable remediation.

How long does it take to recover from being hacked?

The immediate emergency response takes 4-24 hours. Full recovery— including securing all accounts, cleaning devices, setting up identity protection, and rebuilding your security posture—typically takes 1-2 weeks. Monitoring for ongoing identity fraud should continue for at least 12 months via credit freeze and fraud alerts.

Should I report being hacked to the police?

Yes. File a police report, especially if financial losses are involved. Additionally, report cybercrime to the FBI's Internet Crime Complaint Center (IC3) at ic3.gov, file an FTC identity theft report at IdentityTheft.gov, and report to your state's attorney general. These reports create an official paper trail needed for financial disputes and insurance claims.

Conclusion

Being hacked is a profoundly violating experience, but following this operational playbook prevents panic from causing further catastrophic losses. The priority order is clear: secure your email and financial accounts first, then systematically rebuild every credential with unique passwords and authenticator-based 2FA, sweep all devices for malware, and protect your identity. Once recovered, audit your entire security posture to ensure it never happens again.

Related reading: Email Phishing Guide · Complete 2FA Setup Guide · Password Security Best Practices · Social Profile Security