My email was hacked — what should I do first?

If your email is compromised, **this is the maximum emergency**: the attacker can reset all your accounts (banking, social media, shopping). First action: try to recover access via the provider's recovery form (Gmail, Outlook...). If you regain access: change the password immediately, enable 2FA, disconnect other sessions, check if forwarding rules were added (signs the attacker is spying on your emails). If you can no longer access it: contact the provider's support urgently with proof of identity.

How do I know if my password has leaked?

Go to **[haveibeenpwned.com](https://haveibeenpwned.com)** — enter your email address to see which known data breaches your account appears in. This service tracks over 12 billion compromised accounts. If your email appears, change the passwords on all accounts associated with that address. Bonus: Bitwarden Premium and Proton Pass integrate this check directly into the manager, with automatic alerts for new breaches.

Do I need to pay for a password manager?

**No, not to get started.** Bitwarden offers a fully free plan: unlimited vault, sync across all your devices (mobile, PC, browser), strong password generator. Proton Pass also offers a solid free plan. The paid version (Bitwarden Premium at $10/year, Proton Pass at $12/year) adds automatic breach alerts, hardware 2FA (YubiKey), and vault health audits. For 90% of users, the free version is enough to eliminate the password reuse risk.

Should I notify anyone if my account was hacked?

Yes, in certain cases. **Your bank**: if a banking or financial service account is affected, call the fraud department immediately. **Your contacts**: if your email or social account sent fraudulent messages in your name, warn your contacts not to open the links. **Your employer**: if the hacked account gives access to work resources.

My account was hacked but I didn't reuse my password — how is that possible?

Several scenarios without password reuse: (1) **Phishing**: you entered your password on a fake site resembling the real one. (2) **Service-side breach**: the service's database was compromised with poorly protected passwords. (3) **Malware/keylogger**: malicious software on your device captures keystrokes. (4) **SIM-swapping**: the attacker transferred your phone number to intercept SMS recovery codes. Long-term solution: app-based 2FA (not SMS) + a password manager that detects phishing sites.

My Account Was Hacked: What to Do RIGHT NOW (Step-by-Step Guide)

Your account was just hacked. Or you think it might have been. Either way, the first rule is simple: don't panic, act in order. Every minute counts, but mistakes made under stress can make things worse.

This guide gives you the exact sequence of actions to take, in the right order, with the right priorities.

01 — Take a breath. Here's what will happen in the next 10 minutes

If your account has been compromised, the attacker likely has two goals: grab money or content, and use your account as a springboard to attack your other accounts. The good news: you can cut off both in under 10 minutes if you act now.

This guide follows a triage logic: we handle what limits immediate damage first, then secure things long-term.

02 — The first 5 minutes: immediate actions

Step 1 — Change the hacked account's password

If you still have access to the account, go immediately to Settings → Security → Change password.

Use a strong, unique password: at least 16 characters, mixing letters, numbers, and symbols. Don't use something you use elsewhere — that kind of reuse is exactly what enables cascading breaches. Use our password strength checker to verify the new password before saving it, and our password generator to create one you don't have to invent yourself.

If you no longer have access, click "Forgot password" or "Sign in another way" and trigger a reset to your recovery email.

Step 2 — Change your primary email password

This is often the step people forget. If an attacker controls your inbox, they can trigger password resets on all your accounts — banking, social media, Netflix, Amazon — from that address. Change your email password now, before doing anything else.

Your new email password must be different from the hacked account's password and all your other passwords.

Step 3 — Disconnect all active sessions

In the compromised account's security settings, look for "Active sessions", "Connected devices", or "Manage sessions". Disconnect all devices except yours. On Gmail: Settings → Security → Your devices. On Facebook: Settings → Security → Active sessions.

This action instantly removes the attacker, even if they're still logged in with a valid token.

03 — Within the first 30 minutes: strengthen security

Enable 2FA on the hacked account

Two-factor authentication (2FA) means that even if someone knows your password, they can't log in without the additional code. Enable it on the hacked account first, then on your email.

Use an authenticator app, not SMS: SIM-swapping attacks allow redirecting your texts to the attacker. An app like Google Authenticator or Bitwarden Authenticator generates codes locally, without going through the phone network.

Check recovery settings

Make sure the attacker hasn't changed your recovery email address or recovery phone number. Also check email forwarding rules (an attacker may have set up a rule to receive copies of all your emails without you noticing).

Change passwords for linked accounts

If you used the same password on other sites (banking, social media, work email), change them now. This is the number one risk: a single stolen password compromises everything else.

Check haveibeenpwned.com to see if your email appears in known data breaches.

04 — The lasting solution: a password manager

Account hacks don't happen by accident. The number one cause remains password reuse: one site gets breached, and all your other accounts using the same password become vulnerable. The number two cause: passwords that are too simple, easy to guess or brute-force.

A password manager permanently fixes both problems: it generates a strong, unique password for every site, stores it encrypted, and fills it in automatically. You only need to remember one password — the master password.

Bitwarden: free, open source, audited

Bitwarden is our top recommendation for a simple reason: the free plan is complete and unlimited (unlimited vault, sync across all your devices, password generator). The code is open source and was audited by Cure53 in 2022 — anyone can verify it does what it claims.

For privacy-conscious users, Bitwarden Premium ($10/year) adds automatic breach alerts — you're notified the moment one of your passwords appears in a new leak.

See our full Bitwarden 2026 review for the technical details.

Try Bitwarden for free →Free plan · Unlimited vault · Open source, Cure53 audited→

Proton Pass: for the privacy ecosystem

If you already use Proton Mail or Proton VPN, Proton Pass fits naturally into that ecosystem. Free plan available, with end-to-end encryption of metadata (unlike most competitors who only encrypt passwords, not URLs or account names).

Proton Pass is particularly suited if you want a privacy-first solution with a Switzerland-based provider.

Our Proton Pass vs Bitwarden comparison helps you choose based on your profile.

Try Proton Pass →Free plan · E2EE metadata encryption · Proton ecosystem→

05 — Recap checklist

Here are the actions in order, to check off as you go:

06 — Further reading

Best Password Manager 2026 — our full ranking
Best 2FA Authenticator App — Aegis, Google Auth, Bitwarden Authenticator compared
Passkeys vs Passwords — the technology that might replace passwords permanently

PwdFortress earns a commission if you subscribe to Bitwarden Premium or Proton Pass via the links in this article. This does not change the price you pay or the editorial content — recommendations are based on independent testing.

★ Audit Cure53 2024 · ✓ Plan gratuit · Cross-platform

Get NordPass30 jours satisfait ou remboursé · Plan gratuit disponible→