How to Kick an Attacker Off Your Account After a Session Hijack

    Oh dear, it sounds like your online account might have been taken over. This can be a really stressful experience, but don't worry – we're here to help you get your account back and secure. This guide will walk you through the steps to kick the attacker out and lock them out for good.

    Act quickly! The sooner you follow these steps, the less damage an attacker can do. Time is of the essence when your account security is compromised.

    Recognising a Session Hijack

    A 'session hijack' means someone has stolen the digital key that keeps you logged into an account. Instead of needing your password, they can pretend to be you. This might happen if you've clicked on a dodgy link, used Wi-Fi on an unsecured network, or if your computer has been infected with malware.

    It’s important to spot the signs early so you can take action.

    • You notice unfamiliar activity in your account (e.g., sent emails you didn't write, posts you didn't make, purchases you didn't authorise).
    • Your password has been changed without your knowledge, and you can't log in.
    • You receive notifications about logins from unusual locations or devices.
    • Money is missing from your bank or shopping accounts.

    Step 1: Sign Out Everywhere (Kick Them Out!)

    The first and most crucial step is to sign out of your account on all devices. This is like changing the locks on your house and forcing everyone inside to leave immediately. Most online services offer a way to do this from your account settings.

    • For Google accounts: Go to your Google Account, then 'Security', scroll to 'Your devices', and click 'Manage all devices'. Select each active session that isn't you and choose 'Sign out'.
    • For Facebook: Go to 'Settings & Privacy' > 'Settings' > 'Security and Login'. Look for the 'Where you're logged in' section, then click 'See More' and 'Log Out Of All Sessions'.
    • For Apple ID: Go to 'Settings' > [your name]. Scroll down to see a list of devices associated with your Apple ID. Tap each device you don't recognise (or that isn't yours) and choose 'Remove From Account'.

    Step 2: Change Your Password Immediately

    Once you've forced everyone out, you need to change your password to a strong, unique one. This is like putting a brand new, unguessable lock on your door. Don't use a password you've used before, and make it a good mix of upper and lower case letters, numbers, and symbols. A password manager can help you create and remember these.

    • Choose a password that is at least 12 characters long – the longer, the better.
    • Use a combination of uppercase letters, lowercase letters, numbers, and symbols.
    • Avoid using personal information like birthdays, pet names, or easily guessable words.
    • Consider using a passphrase – a string of unrelated words that's easy for you to remember but hard for others to guess (e.g., 'CorrectHorseBatteryStaple!').

    Step 3: Remove Any Leftover Access

    Attackers can sometimes leave 'backdoors' to get back in, even after you've changed your password. This might involve setting up new recovery options, linking their own apps, or forwarding your emails. You need to meticulously check for and remove anything that looks suspicious. Think of it as checking every window and hidden entrance of your house.

    • Check 'Account Recovery' or 'Password Reset' options: Ensure any recovery email addresses or phone numbers are yours and remove any you don't recognise.
    • Review 'Connected Apps' or 'Authorised Apps': Many services allow third-party apps to access your account. Remove any apps you don't recognise or no longer use.
    • Check 'Email Forwarding' rules: Especially in webmail accounts, attackers might set up rules to forward your emails to them.
    • Review 'Security Questions': If you use security questions, make sure the answers haven't been changed to something you wouldn't know.

    Step 4: Turn On Two-Factor Authentication (2FA)

    This is a must-do step! Two-Factor Authentication (2FA), sometimes called multi-factor authentication (MFA) or two-step verification, adds an extra layer of security. Even if an attacker gets your password, they can't get into your account without the second 'factor' – usually a code sent to your phone or generated by an authenticator app. It's like needing both a key and a special code to open your door.

    • Use an authenticator app (like Google Authenticator or Authy) for the most secure 2FA.
    • SMS codes to your phone are better than nothing, but be aware of 'SIM swap' attacks.
    • Backup codes are essential! Store them securely in case you lose your phone.

    Key takeaway

    Dealing with an account hijack can be unsettling, but by following these steps, you can swiftly remove the attacker and secure your digital life. Always be vigilant about suspicious activities and keep your security practices up-to-date. Taking these actions empowers you to regain control and protect your personal information online. Stay safe out there!

    More from Monitoring & Surveillance

    No image

    How to Protect Yourself While You Work Out What's Happening

    Reduce the chance of monitoring being re-established once you're safe.
    No image

    How to Quietly Investigate Suspected Partner Monitoring

    Removing stalkerware can escalate abuse. Plan the cleanup with a professional, then act.
    No image

    How to Tell If Partner Monitoring Is Real When You're Not Sure

    Your physical safety comes first. Don't touch the monitored device until you have help in place.