Seven steps to take in the event of a valid account compromise

The following advice is suitable for both corporate and personal accounts because the principles are the same everywhere.

 

If you believe that your account has been compromised, here are the steps you should take:

1. Change your password. If you suspect that your account has been compromised, change your password immediately. Make sure to use a strong, unique password that is not used for any other accounts.
2. Enable two-factor authentication (2FA). Two-factor authentication adds an extra layer of security to your account by requiring you to enter a code in addition to your password when logging in. This makes it much harder for someone to access your account even if they have your password.
3. Check for unauthorised activity: After changing your password and enabling 2FA, check for any unauthorised activity on your account. This might include suspicious login attempts, unfamiliar account activity, or unusual purchases or data access.
4. If you have re-used the password anywhere else, particularly if it is associated with the same email address or username, ensure that the above guidance is repeated for each of the potentially exposed instances. Once a hacker has gained your credentials they will try other sites and services to see if they can access further resources or data.
5. Use a password manager. A password manager is a tool that helps you generate and store strong, unique passwords for all of your accounts. This can help reduce the risk of your accounts being compromised in the future.

6a. If it’s a personal account, contact customer support. If you are unable to secure your account or if you notice any unusual activity, you should contact the customer support team for the service or platform where your account was compromised. They may be able to help you secure your account and reverse any unauthorised actions.

6b. If it’s a corporate account, make sure that the data protection officer has been informed. You may be required to perform a data impact analysis on any data accessed or potentially accessed by the unauthorised third party. You should also contact your IT department or follow the process for raising a cyber incident.

7. Receiving multiple push notifications for an authenticator application is an indication that your username and password combination has been compromised and that an attacker is trying to bypass multi-factor authentication (MFA). Never accept unknown authentication application push notifications, and change your password in line with the above guidance.

Act quickly if you believe that your account has been compromised. The sooner you take steps to secure your account, the less likely it is that you will experience any serious consequences as a result of the compromise.

 

Further advice in the event of a cyber security incident 

You might also find our blog ‘Ten dos and ten don’ts when responding to a cyber-attack’ useful in a worst-case scenario.

Threat intelligence bulletins

If you’re looking for regular threat intelligence advice about technology vulnerabilities, please visit the dedicated page on our website, which is updated several times a week.