What to Do If Your Business Gets Hacked

5 min read

Don't Panic — But Move Fast

Getting hacked is frightening. Your first instinct might be to freeze, or to start clicking around trying to figure out what happened. Resist both.

The first 24 hours are critical. The actions you take — and the order you take them — can mean the difference between a bad day and a catastrophic loss.

Here's exactly what to do.

Step 1: Identify What Was Compromised

Before you can respond, you need to know what you're dealing with. Common scenarios:

  • Email account taken over — you've been locked out, or you see emails you didn't send
  • Website hacked — defaced, down, showing strange content, or flagged by Google as dangerous
  • Social media account stolen — you can't log in, or posts are appearing without you
  • Financial fraud — unauthorized charges or transfers
  • Data breach — customer or employee information exposed

Different situations require different responses. Take two minutes to identify which one (or which combination) you're facing before you act.

Step 2: Contain the Damage

Change passwords immediately — starting with your email account. If your email is compromised, assume any account tied to that email is at risk, because your email is how you reset every other password.

Sign out of all active sessions — most email services and social platforms have a "sign out everywhere" or "active sessions" option in security settings. Use it.

Revoke app access — check which third-party apps have access to compromised accounts and revoke anything you don't recognize.

Alert your bank — if there's any chance financial information was involved, call your bank immediately. They can monitor for suspicious activity or freeze your accounts.

Step 3: Secure Your Recovery Path

Attackers often lock in their access by changing your recovery email and phone number before you notice. Check and restore:

  • Recovery email address
  • Recovery phone number
  • Security questions
  • Backup codes for 2FA

Also check for any email forwarding rules that may have been set up quietly. A common trick is to forward copies of all your emails to an attacker's address, so they keep reading your inbox even after you've regained access.

Step 4: Figure Out How It Happened

You need to close the door, not just kick out the attacker. Common entry points:

  • Weak or reused password — change all accounts that used the same password
  • Phishing — you clicked a link and entered credentials on a fake site
  • Compromised third-party app — a connected app had a breach
  • Malware on your computer — if you suspect this, scan your devices immediately (Malwarebytes is free and reliable)

If you can't identify the entry point, assume your password was compromised and change passwords across all important accounts.

Step 5: Communicate Appropriately

If customer data was involved, you may have legal obligations to notify affected individuals. Requirements vary by state, but 72 hours is a common window. Contact a lawyer before sending any breach notification if you're unsure what's required.

If your website was hacked, Google may flag it as dangerous. Once you've cleaned it up, use Google Search Console to request a malware review.

Brief any employees on what happened and what steps they should take.

Step 6: Prevent the Next One

Once the immediate crisis is handled:

  • Enable two-factor authentication on all important accounts
  • Use a password manager to generate and store unique passwords for every account
  • Set up login alerts where available — most services can email you when someone logs in from a new device
  • Consider credit monitoring if personal financial information was exposed

Getting hacked once is misfortune. Getting hacked twice the same way is preventable.

When to Call a Professional

If the breach is serious — customer data exposed, website completely compromised, significant financial fraud — consider calling a professional rather than handling it alone.

Incident response firms specialize in exactly this situation. They can perform forensic analysis to determine exactly what was accessed and when, help you meet legal notification requirements, and harden your systems against future attacks.

This isn't cheap (incident response can run $150–$300/hour), but for a serious breach involving customer data or financial systems, it's often the right call.

What "Cleaned Up" Actually Means for a Hacked Website

Removing malware from a website isn't just deleting suspicious files. Attackers often install backdoors — hidden files that let them regain access even after you've cleaned the obvious infection. A thorough cleanup means:

  1. Taking a backup of the infected site (for evidence)
  2. Scanning all files for known malware signatures (Wordfence for WordPress, Sucuri for any platform)
  3. Comparing your file system against a known-clean version
  4. Reviewing all admin accounts and removing any you didn't create
  5. Changing all passwords: FTP, database, CMS admin, hosting control panel
  6. Keeping software, plugins, and themes updated to close the original vulnerability

If you're not comfortable doing this yourself, Sucuri and Wordfence both offer professional website cleanup services.

Google's Safe Browsing Process

When Google's crawlers detect malware on a website, they flag it in Google Safe Browsing — a database used by Chrome, Firefox, and Safari to warn users. Your site may show a "Deceptive site ahead" warning.

After cleaning your site, submit a Malware Review Request through Google Search Console. Google typically reviews within a few days and removes the warning once they confirm the site is clean. The warning doesn't disappear automatically — you must request review.

Legal Obligations After a Data Breach

In the United States, all 50 states have data breach notification laws. While requirements vary, most require notifying affected individuals within 30–90 days if their personal information (name combined with Social Security number, financial account numbers, medical records, etc.) was exposed.

The FTC Safeguards Rule applies to financial businesses. HIPAA applies to healthcare. If you do business with EU residents, GDPR requires notification within 72 hours.

Don't self-assess your legal obligations in a panic. A quick consultation with a business attorney is worth it.

Rate this article

Related Articles

Security

What is Authentication? Keeping Your Accounts Safe

Authentication is how websites verify you are who you say you are. Here's what you need to know — including passkeys, the future of passwords.

4 min read Security

What is SSL? The Lock Icon in Your Browser

That little padlock in your browser bar means your connection is secure. Here's what SSL is and why your site needs it.

3 min read Security

How to Spot a Phishing Email Before You Click

Phishing emails are the #1 way businesses get hacked. Here's how to spot them — even the really convincing ones.

4 min read

Have questions? We're happy to help. Get in touch for a free consultation.