How to Check If You Have Been Hacked - Signs and Response Steps

You Might Have Been Hacked - What to Check First

"An unfamiliar login notification just arrived." "Your password was changed without your knowledge." "An app you never installed appeared on your phone." When you notice signs like these, it is critical to assess the situation calmly before panicking. Suspicious activity can stem from an actual breach, but it can also be a false alarm from a phishing email or your own forgotten action.

This article walks you through how to identify signs of hacking, the verification steps to confirm a breach, and the concrete actions to take if unauthorized access is confirmed.

Common Signs of Unauthorized Access

If even one of the following signs applies to you, consider the possibility of unauthorized access. Multiple matches significantly increase the likelihood of a breach.

Account-Related Signs

• Password changed without your action: If you are locked out, an attacker may have changed your password
• Unfamiliar login history: Check your account activity on Google, Apple, or Microsoft for access from unknown locations or devices
• Emails or messages you did not send: Suspicious messages in your sent folder indicate your account may be hijacked for spam distribution
• Two-step verification settings altered: Attackers sometimes disable or redirect two-step verification to maintain persistent access

Device-Related Signs

• Abnormal battery drain: Malware running in the background consumes CPU and network resources, causing rapid battery depletion
• Unknown apps installed: Apps you did not install may be malware
• Unusual data usage: Malware transmitting data to external servers causes a spike in network traffic
• Browser homepage or search engine changed: A classic symptom of browser hijackers

Financial Signs

• Unrecognized transactions: Suspicious charges on your credit card or bank account
• New card or loan application notices: Your personal information may have been stolen and used for identity fraud

How to Verify an Account Breach

Once you spot warning signs, follow these steps to determine whether a breach has actually occurred.

1. Check for Email Address Leaks

Verify whether your email and password combination has been exposed in a data breach. Enter your email address at Have I Been Pwned (haveibeenpwned.com) to check if it appears in any known breach databases.

2. Review Account Login History

Check the security settings of your major services for recent login activity:

• Google: myaccount.google.com > "Security" > "Your devices" to see all connected devices
• Apple: appleid.apple.com > "Devices" section to review devices linked to your Apple ID
• Microsoft: account.microsoft.com > "Security" > "Sign-in activity"
• Social media: Check "Login activity" or "Session management" in each service's settings

3. Audit Connected Apps and Third-Party Access

Review the list of apps connected via OAuth and check for any you do not recognize. If an attacker has obtained an OAuth token, they can continue accessing your account even after you change your password.

4. Check Email Forwarding Rules

Attackers sometimes set up auto-forwarding rules to copy all incoming emails to an external address. In Gmail, go to "Settings" > "Forwarding and POP/IMAP" to verify no unauthorized forwarding addresses are configured.

What to Do If a Breach Is Confirmed

Once unauthorized access is confirmed, act quickly to contain the damage. Also review our guide on secure password management.

Immediate Actions - First Hour

1. Change your password: Change the compromised account's password immediately. Also change passwords on any other accounts where you reused the same credentials
2. Force logout all sessions: On Google, remove suspicious devices from "Your devices." On other services, use "Sign out of all sessions"
3. Re-enable two-step verification: The attacker may have modified your 2FA settings, so reconfigure them from scratch
4. Revoke connected apps: Remove all suspicious OAuth connections

Within 24 Hours

• Delete unauthorized forwarding rules: Remove any email forwarding you did not set up
• Verify recovery information: Confirm your recovery phone number and email address have not been changed
• Contact financial institutions: If you see suspicious transactions, contact your bank or card issuer to freeze the account
• Run a malware scan: Scan your PC and smartphone for malware to ensure no malicious software is present

Habits That Prevent Unauthorized Access

Prevention is far more effective than incident response. Practicing the following habits significantly reduces your risk of being hacked:

• Use a password manager: Generate and store a unique, strong password for every service. Credential stuffing attacks exploit password reuse, and unique passwords neutralize them
• Enable two-step verification everywhere: Activate 2FA on all accounts that support it - email, cloud storage, social media, and financial services
• Review login history regularly: Make it a habit to check your major accounts' login history about once a month
• Stay alert to phishing: Never click links in suspicious emails or messages without verifying the URL first
• Keep software updated: Always update your OS, browser, and apps to patch known vulnerabilities

Early Detection and Swift Response Minimize Damage

Hacking and unauthorized access cause the least damage when caught early and addressed quickly. If something feels off, follow the verification steps in this article to assess the situation and take the necessary actions. You can also check your IP address and security score on IP確認さん to verify whether your connection shows any unusual characteristics.

To deepen your knowledge of cybersecurity, cyber security books are a valuable resource.