How to Find Out Who Hacked Your Account
Someone got into your email, your social profile, or your bank login, and your first instinct is to ask who did this. Almost every guide online answers half the question: it tells you to change your password and turn on two-factor, then says identifying the intruder is basically impossible. That is only true if you stop at the lock screen. This guide does both. First it walks you through securing the account and shutting the attacker out, fast and in the right order. Then it covers the part the other guides skip: the lawful attribution trail, including the login IP and location history, the recovery email or phone the intruder quietly added, reused usernames and leaked passwords, and the money trail if anything moved, all organized into evidence you can hand to police or an attorney.
The Short Version
Do two things in order. First, secure the account: change the password from a clean device, sign out all other sessions, turn on two-factor authentication, and check for sabotage the intruder left behind, such as a new recovery email or phone, mail forwarding or filter rules, and added payment methods. Then, before anything is overwritten, preserve the evidence: the account’s login and device activity, the IP addresses and locations of the unfamiliar sign-ins, the timestamps, and full email headers of any message the attacker sent. Identifying who hacked you is harder than securing the account, and it is not always possible, but it is far from hopeless. Login IPs, the recovery contact details the intruder added, reused handles and leaked credentials, and the money trail can all be researched lawfully and assembled into a real lead. People Locator Skip Tracing works that human trail and turns it into evidence that supports a police report or a civil claim. We never break into anything or hack back, and we are honest about what the records can and cannot show.
Watch: Who Hacked Your Account
Secure it first, then the lawful way to identify the intruder.
Watch Overview
What Account Takeover Actually Is
Knowing how the intruder got in tells you where the evidence lives.
Account takeover is what investigators call it when someone other than you gains control of an account you own: your email, a social profile, a bank or brokerage login, a gaming account, a cloud drive. It is different from a generic “scam,” because the attacker is not just tricking you into sending money, they are sitting inside something that belongs to you, reading what you read and sending messages as if they were you. That distinction matters, because it means the account itself becomes a crime scene, and crime scenes hold evidence if you preserve them before they are overwritten.
Most takeovers happen one of a few ways. The largest share is credential stuffing, where a password you reused somewhere was exposed in a data breach and criminals replay that email-and-password pair across hundreds of sites until one works. Others come from phishing, where a fake login page captures your real password, or from a malicious sign-in cookie or token stolen by malware, which can sail straight past two-factor. A smaller but painful category is the known person: an ex-partner, a roommate, a relative, or a coworker who knew your password, guessed your security answers, or had physical access to an unlocked phone. Each of these leaves a different signature in the login history, which is exactly why the activity log is the first thing to read, and the first thing to save.
Signs You Were Hacked
Any one of these is reason to act. Several together is a confirmed takeover.
You’re Locked Out
Your password no longer works, or you get a notice that your email, password, or recovery details were changed when you did not change them.
A Sign-In You Don’t Recognize
An alert flags a login from a device or a city you have never used, or your activity log shows a session from an unfamiliar location.
Messages You Never Sent
Contacts say they got spam, a money request, or a strange link from you, or your sent folder and post history contain things you did not write.
Missing or Diverted Mail
Expected emails vanish or land in trash because a forwarding or filter rule was added, often to hide password-reset notices from you.
Unexpected Reset Codes
You receive two-factor codes or password-reset emails you did not request, a sign someone is actively trying to get in or already has.
Money or Settings Moved
A new payment method, shipping address, or linked account appears, points or funds are gone, or your profile name, photo, or security settings changed.
Secure the Account First
Before you investigate anything, shut the intruder out. Do these in order.
The urge to play detective is natural, but the first job is to take back control, because while the attacker is still inside they can lock you out further, drain accounts, and erase the very logs you will need. Work from a device you trust, not the one you suspect is infected. The official walkthrough from the FTC on recovering a hacked email or social media account is a solid checklist to keep open while you do this. Do not delete anything yet, even spam the intruder sent, because deleting evidence helps no one but them.
Change the Password, Sign Out Everywhere
Set a new, unique password from a clean device, then use the “sign out all sessions” or “log out other devices” option so the intruder’s active session dies immediately. A password change alone does not always end an existing session.
Turn On Two-Factor Authentication
Enable two-factor, preferably an authenticator app or a security key rather than text messages, which can be intercepted. This blocks re-entry even if your password leaks again.
Reverse What the Intruder Changed
Check and remove any recovery email or phone you do not recognize, delete unfamiliar mail-forwarding and filter rules, drop unknown connected apps and devices, and remove any payment method or address that was added.
Secure the Linked Accounts
If the breached account is your email, treat every account that uses it for resets as also exposed. Change those passwords too, and scan the trusted device for malware before you trust it again.
Preserve the Evidence Before It’s Gone
The login log is your best clue. Capture it before the platform recycles it.
Most platforms only keep detailed sign-in history for a limited window, and some of it disappears once you change the password or end the foreign session. So the moment the account is secure, switch into evidence mode. The single richest source is the account’s own login and device activity. In a Google account you will find it under Security, in the recent security activity and “your devices” panels, which show the approximate location, date, time, and access type for each sign-in. Facebook, Instagram, Microsoft, Apple, and most banks have an equivalent “where you are logged in” or “recent activity” page. Open it and capture, by screenshot and by writing it down, every unfamiliar entry: the date and exact time, the IP address if shown, the reported city or region, and the device or browser string.
Next, preserve the messages. If the attacker sent email as you, do not just read it, save the full message headers, which are the hidden routing lines that can reveal the originating server and IP. Most mail clients offer a “show original” or “view headers” option. Screenshot any fraudulent posts, direct messages, or money requests with their timestamps, and keep any password-reset or “new login” alert emails you received, because those carry the IP and timestamp of the attempt straight from the provider. Finally, write a plain timeline: when you last had normal access, when the first odd thing happened, and what changed. Store all of it in one dated folder you do not edit, because a clean, timestamped record is what makes a police report or a civil claim usable later, the same discipline behind a thorough social media investigation when a profile is the only starting point.
How Identifying the Intruder Actually Works
Four lawful trails. Most guides do not touch any of them.
The login trail. Every sign-in carries an IP address, and an IP resolves to an internet provider and a general geographic area, sometimes a neighborhood, sometimes only a region or a data center. On its own an IP rarely names a person, but it tells you a great deal: whether the access came from near you or from another country, whether it bounced through a known VPN or hosting provider, and whether several “different” sign-ins actually trace to one source. Patterns matter more than any single line. A login from your own town at an hour you were asleep points in a very different direction than a string of logins from overseas, and that distinction often decides whether this is a stranger or someone close to you.
The recovery-detail trail. To keep control, intruders almost always add their own recovery email or phone number so they can take the account back even after you reset it. That added contact detail is one of the most valuable leads in the whole case, because it is something the attacker chose and can be researched. A recovery phone number can be checked against public records and carrier data the way our guide to identifying a scammer by phone number describes, and an added recovery address can be run the way our walkthrough on finding someone by an email address lays out.
The reuse trail. People, including attackers, reuse things. A username, handle, or display name the intruder set, or that appears in the recovery details, may match accounts elsewhere, profiles, forum posts, marketplace listings, that point back to a real identity. And if your password was taken in a breach, knowing which breach and which other accounts shared that password helps reconstruct how the takeover happened. The money trail. If funds, gift cards, or purchases moved, follow them: the destination account, the payee name, the shipping address, the transaction IDs. Money is the trail attackers are worst at hiding, and it is frequently what turns an anonymous login into a named person, the same logic that drives finding someone who scammed you after a financial loss. All of this is done through lawful public-records research and open-source techniques. It never involves breaking into the attacker’s accounts, “hacking back,” or any unauthorized access, which is itself a crime and would destroy any case you are building.
The Honest Limits of Attribution
We will tell you what the records can and cannot do.
It would be dishonest to promise a name in every case. A determined attacker who used a VPN, the Tor network, or a chain of compromised machines can make IP geolocation point to a country that has nothing to do with them. Organized, overseas takeover crews are often genuinely out of reach for an individual victim, and the most realistic outcome there is a strong, detailed report that helps law enforcement connect your case to a larger pattern. Subscriber information behind an IP address, the record that ties an address to an actual account-holder at a moment in time, is generally only obtainable by law enforcement through legal process, not by a private firm; what we can lawfully do is develop everything around it into a lead solid enough for that process to be worth pursuing.
Where attribution succeeds most often is, perhaps surprisingly, the cases that hurt most personally: the ones where the hacker is someone you know. Those attacks come from local IPs, happen at times that fit a person in your life, rely on security answers or passwords only a close contact would have, and frequently leave recovery details that lead straight back to the individual. When the trail does support it, we hand you an organized, lawful evidence package, not a guess, that a detective or an attorney can act on. We are clear at the outset about which category your case looks like, so you are never paying for false hope.
Lock It Down vs. Identify the Intruder
Two different jobs. You need both, in order. Here is how they compare.
| Question | Securing the Account | Identifying the Intruder |
|---|---|---|
| Goal | Shut the attacker out and stop the damage | Develop a lawful lead to a real person |
| When | Immediately, before anything else | After it is secure, while evidence is fresh |
| Key actions | New password, two-factor, end sessions, undo changes | Read login IPs, recovery details, reuse, money trail |
| Difficulty | Straightforward, you control it | Variable, depends on what the attacker left behind |
| Best outcome | Full control restored, intruder locked out | A named, located person or a report-ready file |
| Where we help Our Team | We point you to the official lock-down steps | We work the human trail and build the evidence |
The lock-down column is something you can complete yourself today, and you should not wait for anyone to do it. The right-hand column is where a specialist earns their keep, turning scattered IPs, handles, and recovery details into a coherent lead, and being honest when the trail runs cold. Treat them as sequential, not either-or.
When It’s Someone You Know
The hardest cases emotionally are often the most solvable.
A large share of personal account takeovers are not faceless foreign hackers at all. They are an ex-partner who never lost the password, a current or former spouse during a separation, a roommate with access to an unlocked laptop, a family member, or a coworker. These cases look different in the evidence, and they are usually the most identifiable. The sign-ins come from local IP addresses, sometimes the same home or office network you use. The timing lines up with a real person’s schedule. The intruder knew the answer to your security questions or your pet’s name because they know you. And there is often no impossible travel, no overseas hop, just quiet access from nearby.
If the pattern fits a known person, two things matter. First, document carefully and resist the urge to confront before you have preserved everything, because a confrontation can prompt them to wipe their tracks or escalate. Second, if you feel unsafe, especially in a domestic or stalking situation, prioritize your safety and involve law enforcement and a local victim advocate rather than handling it alone. On the investigative side, this is precisely where lawful skip tracing is strongest: confirming an identity, locating the person, and assembling the timeline and records that support a protective order, a police report, or a civil claim. It overlaps heavily with broader fraud investigation work, where naming and locating the responsible party is the whole point.
Where to Report a Hacked Account
File with the channels that fit your situation. Each does something distinct.
Reporting does two things at once: it creates an official record that any later claim or insurance process will need, and it feeds your details into systems that connect individual victims to larger criminal patterns. File a complaint with the FBI at the Internet Crime Complaint Center, which is the central federal intake for online crime and account compromise. If any of your personal information was exposed or misused, build a recovery plan at the FTC’s identity theft service, which generates a personalized, step-by-step checklist and the affidavits you may need for banks and creditors. Notify the platform itself through its hacked-account or compromised-account reporting flow, and contact your bank or card issuer the moment any money or payment method was touched. If the hacker is someone you know or you feel unsafe, file a report with your local police as well, and bring your dated evidence folder with you. Keep every confirmation number; those references are what link your preserved evidence to an official case.
How People Locator Skip Tracing Helps
We work the human trail behind the login, lawfully, so your case has teeth.
Hacked Individuals
Identify who got into your account
Attorneys
Locate an identified intruder for a claim
Stalking Victims
Tie covert access to a known person
Small Businesses
Trace a compromised business account
Fraud Teams
Put a real name to a login pattern
Families
Help a relative who was targeted
Send us what the account left behind, even if it feels thin: the login IPs and locations, the recovery email or phone the intruder added, a username or handle, message headers, or the account where money landed. Our investigation team researches those identifiers through lawful, permissible-purpose public records and skip-tracing sources, and reports back honestly on what they do and do not support. We do not break into anything, we never hack back, and we will tell you plainly when a trail is out of reach. This is the same lawful research that powers our full-spectrum skip tracing and our work helping people find a person who scammed them. For a legitimate matter, an initial locate typically comes back within 24 hours.
Our Commitment
We do not sell false hope or “guaranteed identification.” We do the lawful research most guides skip: turning login IPs, recovery details, reused handles, and the money trail into an organized lead, so your police report or civil claim carries weight. We never break into accounts or hack back. Honest, permissible-purpose skip tracing since 2004.
Frequently Asked Questions
Can I really find out who hacked my account?
Sometimes, but never by guarantee. Login IP addresses, the recovery email or phone the intruder added, reused usernames, leaked credentials, and the money trail can all be researched lawfully and assembled into a real lead. Cases where the hacker is someone you know are the most identifiable. A determined attacker using a VPN or operating overseas may stay out of reach, and we tell you honestly which category yours looks like.
What should I do first when I realize I was hacked?
Secure the account before anything else. From a clean device, change the password, sign out all other sessions, and turn on two-factor authentication. Then remove any recovery email, phone, forwarding rule, or payment method the intruder added. Only after the account is locked down should you switch to preserving evidence and investigating who did it.
Does the login IP address tell you who hacked me?
Not by itself. An IP address resolves to an internet provider and a general area, and the subscriber behind it is usually only obtainable by law enforcement through legal process. But the IP tells you whether access came from near you or abroad, whether a VPN was used, and whether separate sign-ins share one source. Combined with recovery details and reuse, it becomes a usable lead.
What evidence should I preserve, and how?
Capture the account’s login and device activity, including the dates, times, IP addresses, locations, and devices of unfamiliar sign-ins. Save the full headers of any email the attacker sent, screenshot fraudulent posts and messages with timestamps, and keep any reset or new-login alert emails. Store it all in one dated folder you do not edit, because platforms recycle this data quickly.
How can I tell if it was someone I know rather than a stranger?
Look at the login pattern. Access from local IP addresses, at times that fit a person in your life, with no impossible travel, and using security answers or passwords only a close contact would have, all point to a known person. Random foreign logins and credential-stuffing point the other way. Known-person cases are usually the most identifiable through lawful research.
Can you hack the intruder back or get into their accounts to identify them?
No, and you should be wary of anyone who offers to. Breaking into someone else’s account is itself a crime and would destroy the case you are building. Our work is strictly lawful: public records, open-source research, and skip tracing applied to the identifiers the attacker left behind. We develop a legitimate lead, not an illegal one.
Where should I report a hacked account?
File with the FBI Internet Crime Complaint Center at ic3.gov, build a recovery plan at identitytheft.gov if your information was exposed, and report the takeover to the platform itself. Contact your bank if money moved, and file with local police if the hacker is someone you know or you feel unsafe. Keep every confirmation number.
What does People Locator Skip Tracing actually do on a case like this?
We work the human trail, not the security cleanup. Using lawful public-records research and skip tracing, our investigation team turns login IPs, the recovery details the intruder added, reused handles, and the money trail into an organized, named or report-ready lead that strengthens a police report or a civil claim. We never take control of accounts, hack back, or promise an identification we cannot support.
Related Guides
More ways our investigation team can help.
Hacked Account? Find Out Who.
Secure it, then let our investigation team work the lawful trail, the login IPs, the recovery details, the reused handles, and the money, so your report or civil case carries weight. Contact us to get started.
Start Your Request →