My email or social account was hacked — what now?

The order matters: retake the account, evict the intruder from every session, close the door they came through, then repair the blast radius — email first, always, because email resets everything else.

  1. Retake email before anything elseYour inbox is the master key — password resets for every other account land there. Use the provider’s account-recovery flow, from a clean device. New, unique password; then check recovery email/phone entries for attacker swaps.
  2. Evict active sessions and tokensIn security settings: sign out all devices/sessions, revoke unknown app passwords, connected apps and OAuth grants. Attackers persist through tokens after you change the password — this step is the one people skip.
  3. Hunt the quiet backdoorsEmail: forwarding rules, filters that auto-delete security alerts, delegate access. Social: linked pages, added admins, changed handles. These survive password changes by design.
  4. Turn on real 2FAAuthenticator app or passkey, not SMS where avoidable. Store backup codes offline. This converts “password leaked” from catastrophe to non-event, permanently.
  5. Repair the blast radiusWarn contacts about scam messages sent “as you” (screenshot examples); check sent folders and message requests; reset any account whose password reset landed in the compromised inbox during the takeover window; review bank/shop accounts that reused the same password — and stop reusing (manager + haveibeenpwned check).
  6. Report and paper-trail itIn-platform hacked-account report (restores flagged actions, documents the takeover), police report if money moved or fraud was committed as you, and an Art. 15 request to the platform for access logs if you need evidence — IPs and timestamps of the intrusion.

How they got in decides your last move: password reuse from an old breach (fix: manager + 2FA everywhere), a phishing page you can still find in your history (report it — and run future links through our scam checker first), or malware (clean the device before typing a single new password — otherwise you are handing over the replacements too). One legal footnote worth knowing: unauthorised account access is a crime in every EU country, and platforms hand over intrusion logs far faster to police case numbers than to angry emails — the report is leverage, not paperwork.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← What now?✍️ Generate this letter — free📞 Your data protection authority