First of all, why does it matter?
It's been estimated that 75% of all website attacks have a financial motive beheind them. Organised crime gangs can make millions by stealing customer information and selling it to others on the underground black market. Their targets can include:
- Credit card information, for direct financial theft;
- Passwords, to try to access your accounts on other websites;
- Email addresses, to sell on to spammers;
- Other personal data, for targetting people in follow-up fraud.
Companies that have been hacked don't always publicly admit (or even fully know) what has been taken - if a hacker has managed to get your information then they may soon try to use this for their gain. By following the guidance on this page you can help protect yourself from becoming a victim.
"But it's old news...."
Even if the news reports suggest that the website was hacked a few years ago (like the Yahoo! mega-breach story in 2016) you shouldn't make the mistake of thinking it doesn't matter to you. It still does.
If you had an account with the company at the time they were hacked then the advice on this page is still relevant, regardless of when the hack actually took place.
Change your password
If a website you use is hacked you should change your password straight away:
1. Change your password:
Logon to the website (type the address into the browser directly - don't click on a link in any email as this could be faked) and change your password as soon as you can. See our guide to 12 ideas for strong passwords.
2. Change any password reset questions:
Hackers could also have stolen your answer to any password reset question (those questions like "What is your mothers maiden name?"). If the website uses these (not all sites do) then you should also change this as a precaution to stop any hacker from getting back in.
3. Prevent further fallout:
Were your password or security question used anywhere else too? If so you should logon to those sites and change them there as well - see our tips for making all your passwords unique.
After any big hack hits the news you might see websites offering you the chance to see if your account was affected. But as tempting as it is to find out if your data was stolen, often these are just scams designed to get your username and password.
The only site of this type that you can trust is Have I Been Pwned?, a website run by renowned security research Troy Hunt. Never trust any other site!
Review your account
As well as changing your password you should also review all of your account settings & personal details carefully, just in case anyone has been into your account and changed something they shouldn't.
1. Check your order history
If it's a retail website check your order history - are there any unexplained orders? If orders have been placed that you didn't make then let the website know. You should still report it even if it was a long time ago; the website can investigate and if neccessary give you a refund.
2. Are all your contact details still correct?
Sometimes hackers may try to leave themselves a way to get back into your account by changing your contact details. Double check all your account details - your postal address, email addresses, phone numbers, and any other details too. Make sure everything is correct.
3. Delete any unrecognized devices
Some websites, such as Facebook or Google, know which devices you've previously logged in from to help verify your identity. If the affected website offers this feature then review the devices it knows about (they'll be listed somewhere in your account settings) & delete any you don't recognise.
Be on the lookout for phishing and targeted fraud
Criminals are always on the lookout for any opportunities to scam people and make money. After a website you use is hacked you need to be especially alert to this - even if none of your data was taken there'll always be fraudsters who still try and blag it!
And if a fraudster has gotten hold of your information (for example the original hackers may have sold it on) then they can be especially convincing.
You should try to be alert to:
- Phone scams. Never trust any phone caller who claims to be from the company that has been hacked, even if they appear to know details of your account. Take their name & department, and call them back some time later using a phone number you find on their website. If they are genuinely from this company they'll understand.
- Email scams. These are the most common as they're so easy for fraudsters to send in bulk. Never click on any links or open any attachments on unexpected emails - see our guide to phishing for all the telltale signs to look for.
- Check your bank statements regularly. If you spot any unusual transactions then report it to the bank immediately. Even unknown tiny transactions are suspicious - it could be a criminal testing whether your bank or credit card details are "live" or not.
After the TalkTalk hack in the UK in October 2015 there were many cases of customers receiving phone calls from people pretending to be a TalkTalk employee, using knowledge of people's accounts as a convincer to try and persuade them to hand over credit card details. Some customers reported losing £1000's from these scams.
If the hackers might have gotten your financial information...
In cases where the hackers might have gotten hold of customer financial information, such as credit card details or bank data, there are some further steps you can take:
- Let your bank know: Let your bank or credit card company know straight away that your details may have been stolen; they'll put enhanced monitoring in place and/or replace your cards too.
- Monitor your credit file: Credit reference agencies, such as (in the UK) TransUnion, Credit Karma, Experian, and Equifax, all hold data on your recent credit history. Regularly checking your credit files for any unusual activity is a great idea.
- For US readers, the relevant links are: Transunion, Experian, Credit Karma, and Equifax.
- Request a CIFAS warning flag: In the UK there's a central organisation called CIFAS working to help prevent financial fraud. For a small fee you can add yourself to a protective register (used by all banks) which will trigger enhanced identity checks should anyone try to take out a loan in your name. Whilst this can be useful you should be aware that it isn't for everyone and is for the most serious cases only - see their website for all the details.
Review your other web accounts too
They say that prevention is better than the cure, and this as true for websites as it is anything else in life. We can't control how well any website protects our information, nor can we know which site will be attacked next. But with a few simple precautions we can go someway to protecting ourselves should any other website we use ever be hacked in the future:
Make sure passwords across all your accounts are unique
If your password is the same password everywhere then your security is only as good as the weakest website. If one of them is ever hacked you'll have just given the hackers the key to all of your other accounts too.
See our guide here for tips on easily making all your passwords unique.
Close down old accounts
From time to time review which websites you're still using and close down any accounts you don't need anymore - see our guide to spring cleaning your digital footprint.