How to Check If You've Been Hacked — A Step-by-Step Investigation

When This Guide Applies

You suspect you have been hacked, you want to know for sure, or you want to do a periodic audit. This is the checklist.

Work through it in order. Each step catches a different category of compromise.

Step 1 — Check Breach Exposure

Go to haveibeenpwned.com. Enter every email address you use — personal, work, old ones you still check. Note which services appear in breach results.

For each breached service:

• Change the password immediately to something generated by your password manager.
• If you reused that password anywhere else, change it everywhere. (This is why reuse is the cardinal sin.)
• Subscribe to breach notifications via HIBP — free, alerts you automatically on future exposure.

Step 2 — Active Sessions

Every major service lets you see every device currently logged in to your account. Review each.

• Google — myaccount.google.com/security/devices
• Apple — appleid.apple.com → Devices
• Facebook — Settings → Security → Where You're Logged In
• Microsoft — account.microsoft.com/security/sign-in-activity
• Instagram — Settings → Security → Login Activity
• X — Settings → Security → Apps and sessions

If you see a device you do not recognise:

1. Sign it out immediately. 2. Change the password of that account. 3. Enable 2FA if it is not already on.

Step 3 — Email Forwarding Rules

A classic post-compromise technique: attacker sets a forwarding rule on your email so copies of everything arrive at their inbox, silently, even after you change your password. They can reset passwords on services you use without you seeing the reset emails.

Check and delete any rule you did not create:

• Gmail — Settings → See all settings → Filters and Blocked Addresses; also Forwarding and POP/IMAP
• Outlook — Settings → Mail → Rules, and Forwarding
• Apple Mail — iCloud.com → Mail → Rules

Also check for recent changes to your recovery email and phone number. Attackers set these so they can lock you out after you regain access.

Step 4 — Connected Third-Party Apps

Every OAuth login ("Sign in with Google", "Sign in with Apple") creates a persistent grant. Over years, these accumulate. Review and revoke:

• Google — myaccount.google.com/security/third-party
• Apple — appleid.apple.com → Sign in with Apple
• Facebook — Settings → Apps and Websites
• Microsoft — Account → Privacy → Apps and services

Revoke anything you do not actively use. Revoke anything you do not recognise.

Step 5 — Financial Accounts

Log into every bank, card, and payment account. Look for:

• Transactions you did not make. Obvious.
• Small test charges — $0.99 or $1.00 — before larger fraud. Attackers test a stolen card with a tiny charge to see if it fires; then the real fraud follows days later.
• Address changes, new cards ordered, new account opens.

Check your credit report for accounts you did not open. This catches the category where attackers use your identity to open new credit rather than hijack existing accounts.

Step 6 — Harden After

Assuming you now understand the scope, close it down.

• 2FA on everything — using an authenticator app, not SMS.
• New unique passwords on every affected account, generated by NordPass.
• Revoke all active sessions on every major account so any lingering attacker is evicted.
• Consider a credit freeze if financial accounts were affected.
• Report the incident. Action Fraud in the UK, FTC identitytheft.gov in the US. You will need the report number for dispute resolution with creditors.

If malware is suspected on a device, reinstall the OS rather than relying on antivirus cleanup. It is faster and more reliable than chasing every trace.

Related reading: Identity Protection Guide, 2FA Guide.