First of all, go to your email provider and log in – it’s time to assess the damage. If the password has been changed, try the ‘Forgot Your Password?’ function to get in. Once you get into your account, Jake Moore, cybersecurity expert at ESET UK, advises the very first thing you should do is change your password. It needs to be long and strong, with multiple numbers, cases and special characters. Avoid real words – this way, a hacker will have a harder time getting in.
Guardian tech editor Samuel Gibbs advises that you should then go through to all your other accounts, including Facebook, Twitter, Amazon, eBay and your internet banking – essentially, anything that may have had the same password should be checked, particularly if these accounts use your email as the username, as that means the hackers likely have both your username and password for all those services.
Next, Gibbs says you should check both your inbox and trash folder for any password resets emails from accounts linked to your email that haven’t been instigated by you. The hacker might have tried to change your passwords on other sites using your hacked email to do the password resets.
After you’ve cut the problem off at the root and you know hackers can no longer access your account, you then have to check whether they have used your account to attack your contacts with spam or phishing emails. Most times, this will be used to trick them into thinking you need help in order to garner personal information from them. Gibbs advises checking your inbox and outbox for dodgy emails sent and received, which will help identify who’s been targeted. If you find some people on your contacts list have been contacted, contact them via another form of communication as soon as possible and let them know you’ve been hacked.
Holly Andrews, fraud protection expert and money laundering officer at KIS Finance says it’s also important to check all your devises for any viruses or malware that could have been downloaded during the hack. “One of the worst-case scenarios is if the hacker installs spyware and keyloggers that track your keystrokes, enabling them to steal your log-in details for other important accounts, such as your online banking.” Use your devise’s antivirus programme to ensure this hasn’t happened.
After Facebook’s major security breach in late September, which saw hackers gain access to at least 50 million users, there’s never been a better time to check the security of your account.
If you’ve noticed suspicious activity on your account, Jake says again, the first rule of thumb is to change your password and then change any other account that has the same password. (When you get a moment, Jake adds that this is also “a great opportunity to reinforce the importance of two-factor authentication”. This means every time you log onto Facebook from an unknown device it’ll send a security code to your phone.) Then, check your login history, looking out for any computer or phone you don’t recognise. Comb through your recent activity, such as your recent likes and posts, and delete anything you didn’t do yourself. It’s important to check what apps and games has been added to your account and delete anything you don’t recognise.
There are a number of ways to report suspicious activity on your account to Facebook. If you find spam on your account, you can report it here. You can check that no payments have been made on your account here. Report any activity that you didn’t make here. And you can learn more about the signs of phishing (AKA, malicious activity on your account) here.
Many also use their Facebook accounts to log in to services such as Instagram, Spotify, Airbnb, Tinder, Expedia and many, many more. Jason Polakis, assistant professor of computer science at the University of Illinois at Chicago, has studied the security of sign-on services like Facebook’s, and said that, while Facebook obviously employs top engineers, there’s no way even the biggest companies can guarantee complete security. He suggests using a password manager, such as LastPass or 1Password, that creates and remembers strong passwords for different sites. “Compared to massive platforms that have millions of different lines of codes and different functionalities, a password manager has one specific job, and so it minimizes the chances of something going wrong,” said Polakis.
First, if you can’t get into your account, file a Support Request with the platform. If you’re able to access your account but notice tweets, DMs or other behaviour that seems a little suspect, as is standard, Twitter suggests you change your password. Again, choose something that’s eight characters or more, with a combination of letters, numbers and special characters. If you’re worried about your email, Twitter shows you how to update it here. As with Facebook, check third-party apps that have access to your account in your settings and remove the access from the ones you don’t recognise. Then, delete the app on your phone and reinstall it.
For more security tips, you can check Twitter’s help centre.
No one can deny that we are our best selves on Instagram, and our profiles are put together far more carefully than any other social media presence we hold. So, when your account starts to post bizarre unauthorised content it seems to cut far deeper. All that hard work! All that careful curating! Wasted!
If you notice something suspicious, start, as always, by changing your password to something stronger – Instagram suggests a combination of at least six numbers, letters and special characters. If you are unable to access your account, go to their troubleshooting page for further advice on how to unlock your account. As with Facebook and Twitter, make sure you switch on two-factor authentication and check your third-party apps for anything suspicious.
Protecting yourself in future:
To make sure this kind of thing doesn’t happen again, these are the key preventative measures you should take:
- Make your password at least 8 characters long
- Don’t use real words in your password
- Use a mix of letters, numbers, special characters, and upper and lower case
- Never use a password twice
- Always enable two-factor authentication
DISCLAIMER: We endeavour to always credit the correct original source of every image we use. If you think a credit may be incorrect, please contact us at email@example.com.