← All Resources

Published · Cybersecurity · How-To

What to do if your account is hacked

If you have reason to believe one of your online accounts has been accessed by someone else, or you are seeing unsolicited verification codes, login alerts, or unfamiliar activity, follow the six steps below. The procedure is the same for any major consumer account: iCloud (Apple ID), Google, Microsoft, banking, social media, work email, and so on.

The rest of this article walks through each step in detail. Work through them in order. Steps 1 through 3 are the most time-sensitive; steps 4 through 6 close the loop and prevent the same compromise from recurring.

Step 1

Reset the account password

From a device you trust, ideally not the device that triggered the alert, sign in to the affected account and change the password. The new password should be:

  • A minimum of 16 characters.
  • Randomly generated, not human-chosen.
  • Unique to that account and not reused on any other site.

Do not try to remember the new password. It will be stored in the password manager described in Step 3.

Step 2

Reconfigure strong multi-factor authentication

Once the password has been reset, review and upgrade the multi-factor authentication (MFA) configuration on the account:

  • Enroll a TOTP-based authenticator app such as Google Authenticator or Microsoft Authenticator. These apps generate a rotating six-digit code that is required at login in addition to the password.
  • Where supported, enroll a passkey as an additional or primary authentication method. Passkeys are resistant to phishing and credential theft.
  • Remove SMS-based and email-based verification as the primary MFA method where the platform allows it. Text-message codes can be intercepted through SIM-swap attacks, and email codes are only as secure as the email account itself. Keep them only as a backup of last resort.
  • Review the list of trusted devices on the account and remove any device you do not recognize.
  • Sign out of all active sessions, forcing every signed-in device to re-authenticate with the new credentials and the new MFA method.

Step 3

Store credentials in a third-party password manager

Long, random, unique passwords are only practical if they are stored in a password manager. Veldtech recommends a third-party password manager such as Bitwarden rather than relying solely on the password manager built into your operating system.

The reasoning is defense in depth. If your iCloud account is compromised, the Apple-built password manager (iCloud Keychain) is also reachable by the attacker. A separate third-party password manager, protected by its own strong master password and its own MFA, is not exposed when the iCloud account is compromised. The same logic applies in reverse for Google accounts and Google Password Manager.

When configuring the password manager:

  • Choose a long, memorable master password that is not used anywhere else.
  • Enable MFA on the password manager itself, using the same authenticator app you configured in Step 2.
  • Store the recovery code (or "emergency kit") for the password manager in a secure offline location that is not the same device that holds the vault.

Step 4

Review mail rules and filters on compromised mailboxes

If the affected account is a mailbox (Gmail, iCloud Mail, Outlook, or any other email provider), reviewing mail rules and filters is critical and frequently overlooked. When a mailbox is taken over, one of the first things a competent attacker typically does is create rules or filters that hide their activity from the legitimate owner. Common patterns include:

  • Automatically forwarding a copy of all incoming mail to an external address controlled by the attacker.
  • Automatically moving messages from specific senders (banks, password-reset notifications, security alerts) into archive folders, the trash, or rarely-checked labels so you do not see them.
  • Automatically marking certain messages as read so they do not appear in unread counts.
  • Deleting messages outright on arrival.

These rules can persist long after the password is changed if you do not specifically remove them. An attacker who has lost access to the account but left a forwarding rule in place will continue to receive copies of your mail indefinitely.

To review the rules and filters on each potentially compromised mailbox:

  • Gmail: Settings → See all settings → Filters and Blocked Addresses, and separately Settings → Forwarding and POP/IMAP. Remove any filter or forwarding address you did not personally create.
  • iCloud Mail: iCloud.com → Mail → Settings (gear icon) → Rules. Remove any rule you did not personally create. Also review iCloud Mail forwarding settings.
  • Outlook / Microsoft 365: Settings → Mail → Rules, and Settings → Mail → Forwarding. Remove any rule or forwarding address you did not personally create.

Any unfamiliar rule should be treated as evidence that the mailbox was at one point accessible to a third party. Document it before deletion in case the information is needed later.

Step 5

Audit and clean up password vaults

Many people are not aware that their credentials are being saved by multiple password vaults at the same time. A single password can easily end up stored in iCloud Keychain, Google Password Manager, the browser-built-in password store (Chrome, Edge, Safari, Firefox), a third-party password manager, and sometimes the password manager built into security software, all at once, without you ever consciously choosing to do so.

This matters because resetting a password to a strong, random value provides no benefit if that new password is then automatically saved into a vault that an attacker also has access to. If the iCloud account is the suspected source of the compromise, any password saved to iCloud Keychain after the reset is, by definition, exposed to whoever has access to that iCloud account.

After completing the password reset and MFA hardening, audit every password vault present across your devices:

  • Identify a single primary vault. Veldtech recommends Bitwarden as the primary vault, protected by a strong unique master password and its own MFA, as described in Step 3.
  • Inventory every other vault present on your devices, including iCloud Keychain, Google Password Manager, Microsoft Edge password sync, Chrome password sync, Firefox saved logins, Safari saved passwords, and any password manager bundled with security software.
  • Delete all saved credentials from every vault other than the primary vault. On Apple devices: Settings → Passwords. On Chrome: chrome://settings/passwords. On Edge: edge://settings/passwords. On Firefox: about:logins. Each vault must be cleaned individually.
  • Disable the auto-save / offer-to-save prompt in every secondary vault so new credentials are not silently re-added going forward. The browser or operating system should not be offering to save passwords once Bitwarden is the primary vault.
  • Re-enter any required credentials only into the primary vault after the cleanup.

This step closes the loop on the password reset: it ensures that the new, strong, random password actually lives only in a vault you control and trust.

Step 6

Review for downstream exposure

After the immediate account is secured, take a short inventory of related exposure:

  • Identify any other accounts that may have used the same password historically and rotate those as well.
  • Review the affected account's recent activity log (most major providers offer a sign-in history) and note anything unfamiliar.
  • Check the affected email inbox for any password-reset emails for other services that you did not initiate. These indicate the attacker attempted to pivot to other accounts.
  • If financial accounts may be implicated, contact those institutions directly.

Common questions

How do I know if my account has actually been hacked?

Strong signals include receiving login or verification codes you did not request, password-reset emails you did not initiate, login notifications from unfamiliar locations or devices, mail or chat messages sent from your account that you did not send, and discovering mail rules or forwarding addresses you did not create. Any one of these is enough to justify running the procedure above; you do not need to wait for definitive proof.

Should I tell my bank, employer, or anyone else?

If a financial account, work account, or healthcare account is involved, yes. Notify your bank or the relevant institution directly using a phone number you trust, not a number from a recent email. If a work account is involved, tell your IT team or manager so they can check for lateral movement into other company systems.

Is SMS-based MFA still better than no MFA?

Yes. SMS-based MFA is meaningfully better than a password alone, because it forces an attacker to obtain two separate factors instead of one. But it is the weakest mainstream MFA option, since text messages can be intercepted by SIM-swap attacks and users can be socially engineered into reading codes aloud. If a stronger option (authenticator app or passkey) is available, use it.

Why a third-party password manager instead of the one built into my phone or browser?

Defense in depth. The password manager built into your operating system (iCloud Keychain on Apple, Google Password Manager on Android and Chrome) is protected by the same account that protects everything else you do on that platform. If that account is compromised, the password manager is compromised too. A third-party password manager like Bitwarden has its own separate master password and its own separate MFA, so a compromise of your iCloud or Google account does not automatically expose every password you have ever saved.

Need help working through this?

If you suspect a business account, an employee account, or a work device has been compromised, Veldtech can help. We work with small businesses in Sacramento, Citrus Heights, and across Northern California.

Contact Veldtech