How to Check If You've Been Hacked: Warning Signs and What to Do Next
Hackers don't always announce themselves. Your accounts may be compromised for weeks or months before you notice. Learn the warning signs, how to check if your credentials are in a breach database, and exactly what to do if you've been hacked.
The Problem: Most Hacks Go Undetected
The average time between an account being compromised and the victim discovering it is over 200 days, according to security research firm Mandiant. In that time, attackers can drain financial accounts, harvest personal data, use your email to send phishing messages to your contacts, and build a detailed profile of your identity for use in fraud. Many people only discover they've been hacked when a bill arrives for something they didn't purchase, or a friend asks why they received a strange message from you.
The good news is that there are concrete, reliable ways to check whether your credentials have been exposed — and clear steps to take if they have. This guide walks through both.
Check If Your Email or Passwords Appear in a Data Breach
The most direct way to check if your credentials have been exposed is to use a breach-checking service. These services aggregate data from known breaches and let you search by email address or password.
Have I Been Pwned (haveibeenpwned.com): The gold standard, run by security researcher Troy Hunt. Enter your email address and it will tell you which known data breaches have exposed your credentials, and what data was included (email, password, name, phone number, etc.). It's free, doesn't store your search query in a linkable way, and covers billions of compromised accounts from thousands of breaches. Check it now — it takes ten seconds.
Google Password Checkup: If you use Google Chrome or save passwords to your Google Account, go to passwords.google.com and click "Check passwords." Google will compare your saved passwords against a database of known breached credentials using a privacy-preserving protocol (your actual passwords are never sent to Google's servers in readable form). It will flag any that appear in breaches, are reused across multiple sites, or are considered weak.
Dark web monitoring services: Services like NordProtect go further: they continuously scan dark web forums, paste sites, and breach databases for your email address, SSN, credit card numbers, and other personal identifiers, alerting you in real time when new exposure is detected rather than requiring you to check manually. This is particularly valuable given that many breaches aren't publicly disclosed for months after they occur.
After checking, make note of exactly which accounts were affected and what data was exposed. This drives your prioritized response.
Warning Signs That You May Have Been Hacked
Beyond breach databases, watch for these behavioral signals that an account or device has been compromised:
Unexpected login notifications: Most major services send email or push notifications when your account is accessed from a new device or location. If you receive a sign-in alert for activity you didn't initiate — especially from an unusual location or device — treat it as a confirmed compromise and act immediately.
Password no longer works: If you can't log in with the correct password, an attacker may have changed it after gaining access. Don't keep trying — initiate account recovery immediately.
Outgoing messages you didn't send: Friends or colleagues receiving emails, direct messages, or social media posts from you that you didn't write is a classic sign that an attacker is using your account. Check your sent folder and message history.
Unfamiliar devices in account settings: Most platforms — Google, Apple, Microsoft, Facebook — let you see all devices currently logged into your account. Any unrecognized device is a red flag. Check these device lists regularly.
Purchases or charges you didn't make: Monitor bank and credit card statements for unfamiliar charges, especially small test transactions (attackers often make a small charge first to verify a card is active before making larger purchases).
Account recovery emails or phone numbers changed: If you receive a notification that your recovery email or phone number was updated, and you didn't make that change, an attacker is attempting to lock you out permanently.
Antivirus alerts or unusual system behavior: On devices, signs of malware include unexpected slowdowns, programs launching on their own, browser redirects, and antivirus software being disabled. A good antivirus program should catch most of these — if you don't have one, that's a gap worth closing.
Check Your Active Sessions and Connected Apps
Every major platform lets you review active sessions and connected third-party applications. Doing this audit across your key accounts takes about 20 minutes and can reveal unauthorized access you didn't know about.
Google: Go to myaccount.google.com → Security → Your devices and "See all" to review every device signed into your Google Account. Below that, check "Third-party apps with account access" and revoke any you don't recognize or no longer use.
Apple: On iPhone, go to Settings → [Your Name] to see all devices signed into your Apple ID. On Mac, go to System Settings → [Your Name] → and review the device list. Remove any unrecognized devices.
Microsoft: Go to account.microsoft.com → Security → Sign-in activity to see a log of recent logins to your Microsoft account, with device type, location, and browser. Any unfamiliar entries warrant a password change.
Facebook/Instagram: Settings → Password and Security → Where You're Logged In. Review all active sessions and log out of any you don't recognize. Also check "Apps and Websites" for connected third-party apps.
Email providers: For Gmail, click the "Details" link at the bottom right of the inbox to see recent access. For other providers, check account security settings for equivalent session info.
What to Do Immediately If You've Been Hacked
If you've confirmed that an account has been compromised, speed matters. Here's the response sequence:
1. Secure your email account first. Your email account is the master key to everything else — password resets for virtually every service go to your email. If an attacker controls your email, they can reset access to any account. Change your email password immediately using our free password generator, and enable 2FA if it isn't already active. Our guide to securing your email account covers this in full detail.
2. Change the compromised account password. Use a long, randomly-generated, unique password. Never reuse a previous password — if it appeared in a breach database once, attackers already have it.
3. Enable two-factor authentication. On every account that supports it. Do this immediately for high-value accounts (email, banking, primary social media). Our 2FA setup guide explains how to get started with an authenticator app in under five minutes.
4. Review all active sessions and revoke unknown ones. Follow the audit steps above. Sign out all other sessions after changing your password to clear any sessions an attacker might still hold.
5. Check what data was accessible. If email was compromised, review what personal, financial, or sensitive information an attacker could have read. If banking was compromised, contact your bank immediately. If work credentials were exposed, notify your IT department.
6. Scan your devices for malware. If you suspect device-level compromise (vs. just credential theft), run a full scan with a reputable antivirus program. Malware that logs keystrokes can capture new passwords as you set them — make sure your device is clean before changing credentials.
7. Freeze your credit if personal data was exposed. If the breach included your Social Security number, date of birth, or other identity-document information, place a credit freeze with all three major bureaus (Equifax, Experian, TransUnion). Our guide to freezing your credit explains exactly how to do this in under 30 minutes — it's free and highly effective at preventing new account fraud.
Dark Web Monitoring: Staying Ahead of Future Breaches
Reactive breach checking (running your email through haveibeenpwned.com after you suspect a problem) is useful but limited. Many breaches aren't publicly disclosed for months, and dark web data can circulate for years before reaching databases that public checking tools index.
Proactive dark web monitoring gives you much earlier warning. Services like NordProtect continuously monitor dark web markets, paste sites, and hacker forums for your personal information — email addresses, phone numbers, SSN, credit card numbers, and passport information — and alert you within hours of detection rather than months. For anyone who has ever been in a significant breach (which, statistically, is most people), ongoing monitoring is worthwhile.
Identity theft protection services that include dark web monitoring, credit monitoring, and identity restoration assistance are particularly valuable if you've already had data exposed. Once your personal information is circulating on the dark web, the risk doesn't disappear — it compounds over time as new attackers discover the data.
Protect Yourself Going Forward: The Security Fundamentals
Most account compromises come down to three root causes: reused passwords, weak passwords, and absence of 2FA. All three are completely preventable.
Use our free password generator to create a unique, strong password for every account. Store them all in a password manager — never in a spreadsheet or your browser's built-in save feature for sensitive accounts. Enable 2FA on every account that supports it, preferring authenticator apps over SMS. And monitor your accounts with a regular audit schedule: check your breach status, review active sessions, and update any passwords that are more than a year old.
For a structured approach to auditing your current security posture, work through our password security audit checklist — it covers every major account category and helps you prioritize what to fix first. See our data breach response guide for the full playbook if you've confirmed a breach affecting sensitive accounts.
Recommended Tools
We recommend NordProtect for continuous dark web monitoring and identity theft protection — it covers email addresses, SSN, credit cards, and real-time breach alerts with identity restoration support if you're affected.
For a password manager to ensure every account has a unique strong credential, NordPass includes built-in breach scanning that alerts you directly when a saved password appears in a known breach — combining credential management and monitoring in a single tool.
See our full security tools guide for everything we recommend across password management, identity protection, antivirus, and VPN.
Recommended next step
Compare identity protection tools
Breach alerts and recovery support are most useful before a leaked credential turns into account takeover.
Compare identity protection tools →Keep Improving Your Account Security
- Browse the phishing hub for the complete set of related guides.
- How to Freeze Your Credit: The Complete Step-by-Step Guide
- Dark Web Monitoring Explained: What It Is, How It Works, and Do You Need It?
- SIM Swapping Protection: How to Stop Attackers From Hijacking Your Phone Number
- Data Breach: What to Do Immediately if Your Information Is Exposed