Simple Online Security: If You Think You’ve Been Hacked

• If you received a data-breach notification email: Included in any data-breach notification will be a list of what kinds of data the thieves accessed, but it’s often difficult to understand exactly what you should do in response. It’s usually best to at least change your password (and if you used that password anywhere else, you should change it there too); afterward, consider setting up two-factor authentication if the service offers it. If the breach compromised more personal details, such as credit card numbers, addresses, or Social Security numbers, be sure to take steps to minimize identity theft.
• Check your account activity where possible: Many online accounts, especially for services like email or social networks, allow you to see a history of logins, or they offer the ability to revoke access to any device that isn’t the one you’re currently logged in from. Motherboard has a guide to accessing these features on some of the most popular services. Also consider turning on login alerts—on sites that support it, such as Facebook—to get a notification anytime someone logs in to your account.
• Regain control of your accounts: If someone has stolen your account, you need to reach out to the company to regain access. Most large companies offer tools to help you regain control of an account if you’ve lost access, but be prepared for this process to potentially take a long time:
  • Google
  • Facebook
  • Apple
  • Microsoft
  • Twitter
  • Instagram
  • LinkedIn
  • TikTok
  • Snapchat
• If you think you have malware or spyware on your computer: If your computer is showing signs of some sort of “virus,” your next steps depend on how technical you want to get. How-To Geek has guides for various steps you can take to remove malware from a Windows 10 computer or from a Mac. If you’re not comfortable with such tools, consider a factory reset (Windows instructions, Mac instructions), which deletes everything, so do this only if you have good backups of your data.
• If you think someone has compromised your phone: Both Android phones and iPhones exhibit a few telltale signs of compromise. Typically you’ll see increased data usage, decreased battery life, and other strange behavior. In most cases, the simplest way to remove this type of software is to do a factory reset (Android instructions, iPhone instructions). You can also double-check to confirm whether this step is necessary with an app like iVerify on iOS, which includes a tool that scans your device to see if it is jailbroken, an indicator that spyware is installed (if you weren’t the one who did the jailbreaking).

Good sources of information

• Lifewire’s guide details what to do if your computer has a virus or malware that you can’t get rid of.
• Wired has a guide that details what sorts of things to look out for if you think someone has hacked into your accounts.

Before you take any steps in this situation, it’s important to know that an abuser might see what security measures you’re adding and react. Contact a local domestic-violence counselor before taking any actions with your technology. The counselor will also help you make copies of anything on the device that you may need for evidence. We have links below for further reading, or you can reach the National Domestic Violence Hotline at 800-799-7233. As a precaution, you should call from a different line than the cell phone you think the abuser has access to.

Resources for domestic abuse

• National Network to End Domestic Violence and its Tech Safety guides
• National Domestic Violence Hotline
• National Sexual Assault Hotline
• DIY Cybersecurity for Domestic Violence Guides
• Avast and Refuge’s interactive tool
• Coalition Against Stalkerware
• Consumer Reports’s guide
• Apple’s Personal Safety User Guide

If you believe a partner is spying on you through your devices, we have a guide to the steps you should take to secure your laptop and smartphone. Many of these steps, such as setting up a password manager, enabling two-factor authentication, and auditing the privacy settings on your various accounts—particularly your Apple or Google account—are already described in this security series. Pay close attention to the sharing settings in social media apps and on other accounts that may reveal specific information about you, such as your calendar or navigation tools.

Stalkerware, illicit software that gives an abuser complete access to your phone or computer, poses a special circumstance that can require more technical know-how to deal with. On Android, you can run a safety check with Google Play Protect, which is enabled by default, but if that feature is off, it might be a sign of compromise. On an iPhone, the Trail of Bits iVerify app ($3) can scan to see if your device is jailbroken, and it includes guides for securing your iPhone. On desktop computers, some antivirus software can detect stalkerware; head to the Coalition Against Stalkerware site for more details.

Online harassment can take many forms. It might include abusive private messages, public messages, spam messages, or worse, doxxing, where harassers get access to your home address or personal phone number and then post that information in publicly available venues.

If you’re already experiencing harassment, we recommend the following thorough and thoughtful resources, which go into detail about what to do.

Resources to get help dealing with online harassment

• Cyber Civil Rights Initiative is an organization that offers a crisis hotline as well as pro bono attorneys for victims of nonconsensual pornography (also known as “revenge porn”).
• The Games and Online Harassment Hotline is a hotline for video game players, developers, and streamers.
• HeartMob includes both help resources and community support.
• The Crisis Text Line isn’t specific to online harassment, but it does connect you with a crisis counselor who can help.

Good sources of information on how to protect yourself or others

• Pen America’s Online Harassment Field Manual provides resources and guides for many types of online abuse.
• Take Back the Tech’s Hey Friend guide walks through the steps for helping a friend who’s being harassed.
• The Zebra Crossing section on online harassment and doxxing has several tips for handling harassers and links to tools that can automate some certain tasks, such as blocking trolls on Twitter.
• Kat Fukui’s guide to handling online harassment has a more personal touch mixed with its actionable advice.

If you’re worried about the potential for harassment in a certain venue, or if you want to lock down your information before it becomes a problem, here are a few steps anyone can take to help minimize issues:

• Use strong, unique passwords and enable two-factor authentication: Protecting your accounts is a crucial step to dealing with harassment, as the last thing you want is for anyone other than yourself to get into them. Strong passwords and two-factor authentication provide a solid layer of protection, and we strongly suggest using a physical security key as your multi-factor authentication choice if you’re at a high risk of harassment.
• Remove yourself from “people search” sites: If you’ve ever searched for your own name online, you know that some of the results reveal a lot of information about you, including phone numbers, family members’ names, email addresses, and more. You can remove yourself from these services, though doing so takes a lot of work (or the willingness to pay an annual fee to a service to handle this for you, such as DeleteMe or Kanary). Journalist Yael Grauer’s Big Ass Data Broker Opt-Out List has links to the opt-out forms for many of the data brokers that publish phone numbers and addresses online. The New York Times’s How to Dox Yourself guide walks through the steps in closer detail, if you need some help.
• Be mindful of what you share on social media: Social media posts can include all sorts of private information about where you live, your current location while you’re traveling, people you’ve lived with in the past, and much more. Be cautious about inadvertently revealing these types of details, and consider going through older posts to remove anything that might reveal more than you’re comfortable with. Social media also tends to unintentionally leak all sorts of information, so take some time to lock down your accounts, including details about who can see your posts or any personal information.
• Consider using several email addresses or phone numbers when possible: We’ve talked before about using “burner” email addresses or phone numbers to combat marketing and help protect against data breaches, but those same tools are also useful for deflecting online harassment. You can set up different email addresses for different purposes, such as when you’re speaking at public events; also, get at least one secondary phone number to give out when you’re uncomfortable providing your primary one.

This article was edited by Arthur Gies and Mark Smirniotis.