Account compromised? Don’t panic—take these steps instead

By James Allman-Talbot, Head of Incident Response & Threat Intelligence, Quorum Cyber

There are few things scarier than having your account compromised. It doesn’t matter if it’s a corporate account or a personal one that’s fallen into the hands of a bad actor. The initial wave of confusion—Hey, why isn’t it letting me in, or I don’t remember making that change—quickly turns to dread as you realize what has actually happened: someone has gained access to your account and all the information in it, and has the power to act on your behalf, likely to a damaging degree.

Before that dread can turn into panic, take a breath. There are in fact things you can, and should, do in the event of a valid account compromise, and once you’ve taken a moment to collect yourself you should jump right on them. Panicking is bad, but you still don’t want to delay.

• If you can still access the account, change your password—immediately. Don’t reuse a password utilized on other accounts, and don’t change it to some variation of the old one (adding an exclamation point to the end of the old password is probably the first thing the hacker would guess if they try to get in again).
• If the account is one where you can see and edit active sessions: close all of them. Obviously, if you see a session that is active on your account from halfway across the world, that’s probably where the person is who is in your account, but geographical data can sometimes be spoofed so it’s best to shut down all sessions to be safe.
• You also want to contact people who can help you lock down the account and undo any damage. If it’s a corporate account that was hacked, reach out to your IT and/or security department—if you have a data protection officer, they’re the best contact—and let them know what happened. They’ll direct you on the next steps and help you determine what data was accessed and actions taken by the attacker.
• Alternatively, if it’s your own personal account, contacting customer support for the application, site, or service should be your next step. They should have the tools to help you ensure your account is secured and undo any actions that the account took that you did not authorize.
• Two-factor authentication (2FA), where you have to enter a code sent to your email or phone via text, is your friend. If 2FA wasn’t enabled on the account before, do it now. It makes it more difficult for someone to gain access to your account even if they’ve managed to discover your password. Yes, we all feel that mild ping of annoyance when we have to toggle over to another app to get the code, but I promise you that dealing with a hacked account is far, far more irritating (and lasts a lot longer).
• Similar to closing out active sessions on an account, check for suspicious activity that might point to how the account was compromised or what the person who broke in got up to. Unauthorized purchases, odd activity, or specific data accessed—figuring out what damage they did will help you undo as much of it as possible.
• Use that same password for other accounts? Change your repeated passwords elsewhere, starting with the email address tied to that account; oftentimes, hackers don’t stop at one account, and the email address (which is usually the most reliable backup for regaining access after an account locks down) is usually their next stop. For any accounts you have to change this way, it’s a good idea to do all of the above steps as well to see if they already accessed those accounts without you realizing.
• It’s best to use a fully unique password for every account (again, especially your email). We all have countless accounts that are secured by passwords, so use a password manager to help keep track of those passwords and generate strong, unique ones you don’t have to worry about forgetting.

Accounts are compromised all the time, and while it’s nearly impossible to guarantee it’ll never happen to you, the above steps can limit the damage that is done when you’re hacked and help prevent it from happening again. Remember, if you notice weird activity on your account or start receiving authentication requests from 2FA-enabled accounts that you didn’t generate, that’s a sign that something is amiss and action should be taken quickly.

James Allman-Talbot is the Head of Incident Response and Threat Intelligence at Quorum Cyber. James has over 14 years of experience working in cybersecurity, and has worked in a variety of industries including aerospace and defense, law enforcement, and professional services. Over the years he has built and developed incident response and threat intelligence capabilities for government bodies and multinational organizations, and has worked closely with board level executives during incidents to advise on recovery and cyber risk management.