Online accounts are important for our day-to-day activities and often store sensitive information about us. This can make them useful for cybercriminals looking to gain access to our resources or identities. Account compromise occurs when someone gets unauthorised access to your account and can act on your behalf. Having an online account compromised can be a stressful experience. If you suspect that one of your accounts has been compromised, this guide will help you respond.
What are the signs you’ve been compromised?
- You notice changes to your account that you didn’t make, for example, unrecognised videos or songs in your ‘recently watched’ list, or purchases you don’t remember making.
- You received an unexpected password reset notification.
- You’ve been automatically logged out of your account on all devices.
- You can’t log in to your account, even though your login details are correct.
- People report suspicious or unusual messages, comments, or activity from your account.
- Your account shows a last login time, location or device that looks wrong.
- Your account provider alerts you to suspicious activity.
An account is also compromised if its login details have been leaked, even if there has been no suspicious activity yet. This could happen if you accidentally forget to log out of an account on a public computer, if another account with the same password is compromised, if your login details were in a data breach or if you were tricked into providing your login details as part of a phishing attack. Whatever the cause, you should take the steps listed in this guide to secure your account.
Call if you need support.
The Australian Cyber Security Centre has a 24/7 Hotline: 1300 CYBER1 (1300 292 371).
Call now if you need additional support, and in the meantime, keep calm and read this guide. It steps you through what you can do right now to limit the damage.
If your account stores your credit card details, or can be used to spend your money in any other way, call your bank or financial institution immediately and ask them to check for suspicious activity. Follow their guidance on securing your account and freezing any affected accounts or cards.
If you are not satisfied with the response from your bank, you can seek free advice from the Australian Financial Complaints Authority.
If you have lost money, do not accept offers from third parties to help you get it back; this is a common tactic used by scammers to steal more money from you.
Check your account provider’s website for advice on what to do if your account has been compromised. It is best to follow your account provider’s advice, if available, because they will tailor it to the specific requirements of your account.
You may no longer have access to your account with your old login details. If this is the case, you should search for recovery options offered by your service provider and follow their guidance.
You may not be able to recover your account. If this is the case, you should contact the account provider to let them know your account has been compromised and you no longer have access to it. It is important to still read the steps in this guide. Some steps will not be possible if you cannot log in to your account, but you can still notify contacts and check that other accounts are secure if needed.
If your account provider does not have advice on their website, follow the standard account recovery steps below.
Standard account recovery steps:
Change your password
Change your password or passphrase. It is best practise to change your password or passphrase by logging into your account’s online platform or application directly. Avoid clicking on password or passphrase reset links you receive by email or message because fake reset links are commonly sent by cybercriminals. The ACSC has published guidance on using password managers and creating unique passphrases, a strong type of password. If you cannot access your account to change your password or passphrase, check if the application provider has an account recovery option. Note, in some cases, application providers may take a number of days to conduct additional checks before facilitating access to your account.
Check your account recovery options
Go to your account settings and check that your account recovery details are accurate and up-to-date. Remove any account recovery options you don’t recognise. Cybercriminals sometimes add account recovery options that let them regain access to your account.
Log out of all devices
You may be able to manage what devices are logged into the account. If your account has this option, log out of all devices. You can usually find this option on your account security settings page. Changing your password or passphrase should also automatically log you out of all other devices.
Enable multi-factor authentication
Enable multi-factor authentication, if your account provider offers it. Multi-factor authentication will make it harder for cybercriminals to gain access to your account again. The ACSC has published guidance on enabling multi-factor authentication. The cybercriminal may have added their own multi-factor authentication methods, so remove any you don’t recognise.
If a cybercriminal has access to one of your accounts, they might have access to your other accounts too. Look for suspicious activity on your other accounts, starting with the most important ones. Prioritise accounts that have access to your finances (such as your bank account or online shopping accounts) or sensitive information (such as email, business, or cloud storage accounts). Accounts to look out for are:
- Accounts that share the same password as the compromised account.
Change any shared passwords or passphrases to unique ones. The ACSC has published advice on using password managers and creating unique passphrases, a strong type of password. - Accounts that are linked to the compromised account through third party authentication. For example, if your Facebook account has been compromised, you should check for unauthorised activity on any other account where you used the “sign in with Facebook” or "continue with Facebook" option.
As you are securing your accounts, look for and make a note of any suspicious activity. For example, if you are securing an online shopping account, check for purchases made in your name. If you are securing a social media account, check if any scam messages have been sent from your profile.
If you noticed messages sent in the last step, you should inform any affected contacts that unauthorised messages have been sent in your name. This will help them recognise suspicious activity and disregard fraudulent messages. If messages have been automatically sent to all of your contacts, it may be worth looking into ways of contacting all contacts easily – a Facebook post will do this, for example.
Do you know how your account was initially compromised?
If you don’t, cybercriminals may have used malware to steal the username and password for your account. Refer to the ACSC’s guidance on removing malware.
Make a record of the key details of the incident, including details of what happened, when it happened, what you think may have led to the incident, and the steps you took in response. Using your record, report the incident to the appropriate authorities:
- Use ReportCyber to report the incident to the ACSC and the relevant police jurisdiction.
- If the cybercriminal used a scam to access your account, or if they used your account to scam other people, report the incident to Scamwatch.
- Report the incident to your account provider, for example, Facebook, Netflix, or Amazon.