When You're Hacked — The First Hour Playbook

You did everything right and it still happened. Maybe a really good phishing email caught you on a tired Monday. Maybe a service you signed up with years ago had a breach you didn't know about. Maybe a family member's phone was stolen with passwords saved.

You see the signs:

• An email saying "your password was changed" — that you didn't change;
• A notification from your bank about a transaction you didn't make;
• A friend texting that they got a weird message from your account;
• A login alert from a country you've never been to.

Your stomach drops. Here's the playbook for the next hour.

The single biggest mistake people make is freezing. Hoping it's nothing. Telling themselves they'll deal with it later. Every minute matters. Most financial fraud is reversible within 24 hours and unrecoverable after. Move fast.

Step 1 — Secure Your Email First

Why first: your email is the master key. Anyone who controls it can reset the password on every other account you have. If the attacker is still in your email, they can undo anything else you do.

What to do:

• Log into your email account (Gmail, Outlook, etc.) from a device you trust;
• If you can still log in: change the password immediately to something brand-new (not a variation of the old one);
• Sign out all other sessions — in Gmail this is at the bottom of the inbox, "Last account activity → Details → Sign out all";
• Turn on 2FA if it wasn't already. Use an authenticator app, not SMS;
• Check Recent Security Activity — anything you don't recognize is the attacker;
• Check filters and forwarding rules — attackers often add a forwarding rule to siphon copies of every incoming email. Delete anything you didn't set up;
• Check the recovery email and phone on the account. If those have been changed to addresses you don't recognize, restore yours.

If you can't log in: go to the provider's account recovery flow immediately. Google, Microsoft, and Apple all have detailed recovery processes — be ready to provide previous passwords, devices you've used, dates you created the account. The sooner you start, the better your odds.

Step 2 — Secure Your Password Manager

If you use one (you should — see Chapter 3), now is the moment it earns its keep.

• Log in;
• Change the master password to something new and long;
• Sign out all other sessions/devices;
• Verify 2FA is on. If not, turn it on immediately;
• Check the activity log for logins you don't recognize.

If the attacker got into your password manager, they got into everything. This is the worst case — assume every account is compromised and proceed to Step 4 with full urgency.

Step 3 — Call Your Bank

If anything financial might be in play, pick up the phone right now.

• Use the number on the back of your physical card or the bank's official website. Don't use any number from an email or text — that could be the scammer;
• Tell them you suspect fraud;
• Ask them to freeze pending transactions and flag your account for review;
• Get a case number and the name of the person you spoke with.

Most fraud — wire transfers, unauthorized card transactions, account takeovers — is reversible within 24 hours if the bank acts fast. After 24-48 hours, the money is often gone for good. Time is everything.

Repeat for every financial institution you use — bank, credit cards, PayPal, Venmo, crypto exchanges, Apple Pay/Google Pay.

Step 4 — Change Passwords On Reused Accounts

If the attacker has one password of yours, assume they're trying it on every popular site. Change passwords on:

• Any account where you used the same password as the compromised one;
• All financial accounts (even ones with different passwords — assume the worst);
• Cloud storage (Google Drive, iCloud, Dropbox) — these often hold copies of your IDs, tax docs, sensitive files;
• Primary social media (so the attacker can't impersonate you);
• Anywhere with stored payment info.

If you used a password manager and unique passwords everywhere, this step is small. If you didn't, this is the painful one. Start with the highest-value accounts and work down. A few hours of grinding is the price.

Step 5 — Check What's Already Been Done

Now that you've locked things down, see what the attacker accomplished while they had access:

• Email: any sent messages you didn't send? Any deleted important emails? Any new email rules?
• Bank/cards: review the last 30 days of transactions for anything unfamiliar;
• Social media: any DMs sent in your name? Any new posts? Any new "friends" or follows?
• Cloud storage: any new shares? Any files downloaded?
• Online shopping: any orders placed? Any new shipping addresses added?

Take screenshots of everything suspicious. You'll need this for the next step.

Step 6 — File Official Reports

Banks, insurance, and identity recovery services all need a paper trail.

In the United States:

• IdentityTheft.gov — the FTC's one-stop site for identity theft. Generates a personalized recovery plan and the official affidavits you'll need;
• IC3.gov — the FBI's Internet Crime Complaint Center. File a report here for cybercrime, especially anything involving money;
• Local police — file a report if there are significant financial losses. Many banks require a police report number to fully refund fraud.

In the EU/UK:

• Your national CSIRT (Computer Security Incident Response Team);
• UK: Action Fraud (actionfraud.police.uk);
• EU: report through europol.europa.eu or your national equivalent.

Anywhere: put a fraud alert on your credit file (US: Equifax, Experian, TransUnion all have free fraud alert tools).

These reports take 20-30 minutes each but they're what insurance, banks, and credit bureaus need to fully resolve the case.

Step 7 — Tell Your Contacts

If your email or social media was compromised, your friends and family are now being targeted in your name. The scammer is sending them messages — "I'm in trouble, please send money" — using your trusted identity.

Send a quick mass message (text, WhatsApp group, social post) from a known-safe channel:

"My [Gmail/Instagram/etc.] account was compromised today around [time]. If you received any messages from me asking for money, gift cards, or urgent help — ignore them. I'm fine. I'm working on it now."

What Not To Do

• Don't pay the attacker, ever. "Send us $500 in Bitcoin and we'll restore your account" — never. They won't restore anything. Paying funds the next attack;
• Don't panic-tweet about it before you've secured the account. Public attention can make attackers double down or burn evidence;
• Don't delete the compromised account immediately. You need access to it for the recovery process — and "delete" usually means "deactivated for 30 days" anyway. Lock it down first, deal with deletion later if needed;
• Don't wait until tomorrow morning. Tomorrow morning the money is gone.