What is the first thing you do when you get hacked?

[What is the first thing you do when you get hacked]: Stop 99.9%

Knowing what is the first thing you do when you get hacked protects personal data from unauthorized access and potential identity theft. Securing accounts immediately prevents attackers from maintaining long-term control over sensitive information or digital assets. Learning these essential security steps ensures users remain safe and avoid significant financial or emotional losses.

The First 60 Seconds: Kill the Connection

The absolute first thing you do when you get hacked is to disconnect the affected device from the internet immediately. Whether it is a phone, a laptop, or a desktop, you need to turn off Wi-Fi, disable Bluetooth, and unplug any Ethernet cables. This situation often involves multiple variables, and while it might feel like the damage is already done, cutting the connection stops active data exfiltration and prevents the attacker from sending further commands to your machine. It is the digital equivalent of a tourniquet.

Data indicates that ransomware attacks on businesses occur every 11 seconds globally^[1] (outdated projection from around 2020-2021), and once an attacker gains access, their priority is usually to establish a stable backdoor. By isolating the device, you break that link.

I have been there - staring at a cursor moving on its own while my heart hammered against my ribs like a trapped bird. The panic is overwhelming. You want to start changing passwords right away, but if the hacker is still watching your screen, you are just handing them your new credentials on a silver platter. Familiarizing yourself with the steps to take if your computer is hacked can save your data. Cut the cord first. Everything else comes second.

Why Immediate Isolation is Your Only Real Defense

Hackers rely on a constant stream of communication to move your files to their servers. Without an active internet connection, most malware becomes dormant or significantly less effective because it cannot reach its Command and Control (C2) server.

This gives you a safe window to assess the breach without the attacker breathing down your neck. Most people make the mistake of leaving the computer on and connected while they call a friend for help. This is a massive risk. In reality, hackers can exfiltrate gigabytes of sensitive data in the time it takes you to explain the problem to someone else.

I remember the first time I faced a remote access breach on my home office PC. I spent ten minutes trying to fight the hacker by moving the mouse back and forth. It was useless.

It was only when I physically ripped the power cord from the wall - a bit extreme, but effective - that I finally felt in control again. Older studies indicated that a significant portion of data breaches (around 70-80%) are discovered by unrelated third parties rather than self-detection,^[2] meaning the signs of a hacked device might have been present for a long time already. Dont give them another minute.

Emergency Response Checklist: Step-by-Step

1. Isolate the Hardware

Toggle Airplane Mode on mobile devices or use the physical Wi-Fi switch on laptops. If you are on a desktop, pull the Ethernet cable. Do not forget to turn off Bluetooth, as some advanced attacks can move laterally between devices in your house through local signals. Once isolated, do not log back in until you have a plan. These immediate actions after being hacked are essential for your digital safety. Just sit tight for a second. Breathe.

2. Use a 'Clean' Device for Account Management

This is where most people trip up. They use the hacked computer to change their banking password. If there is a keylogger installed, the hacker now has both your old and new passwords. Instead, use a completely different device - like a tablet or a friends phone - that you are certain is secure. Focus on your Primary Three: your main email, your primary bank account, and your password manager.

3. Audit and Fortify with MFA

Multi-factor authentication (MFA) is your strongest secondary wall. Implementation of MFA is known to block 99.9% of automated account takeover attempts.^[3] If you did not have it on before, enable it now. If you did have it on, check the authorized devices list in your account settings. Hackers often add their own device as a trusted one so they can bypass MFA prompts later. Look for anything that does not look like your phone or laptop. Kick those devices out immediately.

The Hidden Threat: Persistence and Backdoors

Changing your password is a great start, but it is rarely the end of the journey. But there is one counterintuitive mistake that most people overlook that keeps the hacker inside even after a password change - I will reveal what that is in the persistence section below. Simply put, hackers hate losing access. They will often hide a small piece of code in your startup folder or scheduled tasks that calls home every time you reboot your machine. This is called persistence.

Typical recovering from a security breach can take up to 165 hours of active labor over several weeks. It is an exhausting, grinding process.

You will think you are clean, and then a week later, you will see a weird login from a foreign country. This happens because some breaches involve malware that is designed to survive a standard antivirus scan or a simple system restart.^[5] If the breach feels deep, a factory reset is usually the only way to be sure. I know, it is a pain to reinstall everything. But it is better than sleeping with one eye open.

Addressing the 'Persistence' Mistake

Remember that critical mistake I mentioned earlier? Here it is: users often forget to revoke App Passwords or OAuth permissions. Many apps - like your calendar, email, or third-party tools - use tokens to stay logged in without needing your password.

If a hacker generates one of these tokens while they are in your account, changing your main password does absolutely nothing to stop them. They can stay logged in via that token for months. To fix this, you must go to your security settings and select Sign out of all sessions and Revoke all app permissions. It is a nuclear option, but it is the only way to guarantee they are out.

Isolation Methods: What Works Best?

Physical Disconnect (Ethernet/Power)

• Instant, provided you can reach the cables quickly.

• 100% - No physical path means zero data can leave the machine.

• Zero. It does not rely on software menus that a hacker might have disabled.

Software Toggle (Airplane Mode/Wi-Fi Off)

• Very fast on mobile devices and modern laptops.

• High, but can be bypassed by advanced malware that re-enables radios.

• Moderate. A compromised OS might show Wi-Fi is 'off' while it remains active in the background.

Powering Off (Shut Down)

• Slow. Modern OS shutdown cycles can take 10-30 seconds - plenty of time for a script to run.

• Stops exfiltration but may destroy volatile evidence (RAM) needed for forensics.

• Low, but the hacker could potentially trigger a fake shutdown screen.

Alex's Crypto Wallet Scare

Alex, a software developer in Seattle, was working late when he saw his browser tabs closing and a remote desktop window opening. His heart sank as he realized his hot wallet with 2.5 ETH was visible on the screen. He panicked, trying to close the windows, but the mouse was moving against him.

He first tried to shut down the PC using the Windows menu. The computer just hung on the 'Saving settings' screen for what felt like an eternity. He could see a file transfer progress bar appearing in the corner. His hands were sweating, slipping on the keyboard.

Instead of waiting for the software, he dove under the desk and ripped the power cable out. Silence. He realized that the software was compromised and could not be trusted to perform a simple shutdown while an attack was active.

By using his phone on a cellular network to move his funds to a cold storage address, Alex saved 90% of his assets. The hacker only managed to grab about 200 USD in smaller tokens before the physical kill-switch stopped the transfer.