How to Tell If You've Been Hacked: 12 Warning Signs

Most businesses discover they have been hacked long after the initial breach. The average dwell time — the period between initial compromise and detection — is still measured in weeks for many organizations, and months for some. The longer an attacker operates undetected in your environment, the more damage they can do: exfiltrating data, establishing persistence, moving laterally through your network, and positioning themselves for a devastating ransomware deployment.

Knowing what to look for is the first step toward reducing that dwell time. Here are twelve warning signs that your business may have been compromised, what each sign actually means, and what to do if you spot one.

1. Unusual Account Activity

What it looks like: Login notifications from unfamiliar locations or devices. Password reset requests you did not initiate. New admin accounts that nobody created. Disabled MFA on accounts that previously had it enabled.

Why it matters: Compromised credentials are the most common entry point for business breaches. Attackers often start by testing stolen credentials against your email and cloud services. Once inside, they create backup access (new admin accounts, modified MFA settings) so they can maintain access even if the original compromised password is changed.

What to do immediately:

• Force a password reset on the affected account
• Re-enable MFA and verify the MFA method (ensure the attacker did not register their own device)
• Review the account’s recent activity (email rules, sent messages, file access)
• Check for new accounts or permission changes you did not authorize
• Review sign-in logs for the past 30 days across all accounts

2. Unexpectedly Slow Systems or Network Performance

What it looks like: Computers that were fast yesterday are sluggish today. Network speeds have dropped without explanation. Applications time out frequently. File saves take much longer than usual.

Why it matters: Malware running in the background consumes CPU, memory, and network bandwidth. Cryptomining malware is particularly resource-intensive. Data exfiltration also creates unexpected network traffic that degrades performance. Not every slowdown is a breach, but a sudden, unexplained performance drop across multiple systems warrants investigation.

What to do immediately:

• Check Task Manager (Windows) or Activity Monitor (Mac) for unfamiliar processes consuming high resources
• Review network utilization and look for unusual traffic patterns, especially large outbound data transfers
• Run an endpoint detection scan on affected systems
• If multiple systems are affected simultaneously, investigate the network for unauthorized devices or traffic

3. Unexpected Software or Browser Extensions

What it looks like: Programs you did not install appearing on your computer. Browser extensions or toolbars that were not added by the user. New system services running at startup. Modified browser settings (changed homepage, default search engine, new bookmarks).

Why it matters: Attackers install tools to maintain access, capture keystrokes, redirect traffic, or serve as a staging point for further attacks. Unauthorized browser extensions can capture credentials, inject ads, redirect searches, and exfiltrate browsing data. Remote access tools (RATs) disguised as legitimate software give attackers persistent access to your systems.

What to do immediately:

• Document the unauthorized software (screenshot, note the file location and name)
• Do not simply uninstall it; this can destroy forensic evidence
• Disconnect the system from the network if you suspect active compromise
• Have a security professional analyze the software before removal
• Audit all systems for the same software; if one machine has it, others might too

4. Ransomware Messages or Encrypted Files

What it looks like: Files renamed with unusual extensions (.encrypted, .locked, .crypted). Desktop wallpaper changed to a ransom note. Text files appearing in folders with payment instructions. Inability to open documents that were working fine yesterday.

Why it matters: Ransomware is the most visible and immediately damaging form of cyberattack. By the time you see the ransom note, the encryption is already complete. Modern ransomware typically exfiltrates data before encrypting it, creating a double extortion scenario where attackers threaten to publish your data even if you restore from backups.

What to do immediately:

• Disconnect affected systems from the network immediately to prevent further spread
• Do not pay the ransom without professional guidance (payment does not guarantee recovery and may fund further attacks)
• Identify the ransomware variant if possible (this determines recovery options)
• Check backup integrity before attempting restoration
• Report to law enforcement (FBI IC3: ic3.gov)
• Contact a professional incident response team

5. Email Sending Without Your Knowledge

What it looks like: Colleagues or clients mention receiving strange emails from you. Your sent folder contains messages you did not write. Out-of-office replies arrive from people you did not email. Bounce-back notifications appear for messages you never sent.

Why it matters: A compromised email account is one of the most dangerous situations for a business. Attackers use compromised accounts to send phishing emails to your contacts (who are more likely to trust messages from your address), redirect financial transactions through business email compromise (BEC) schemes, and access sensitive information stored in your mailbox and connected systems.

What to do immediately:

• Change the account password immediately from a known-clean device
• Check for email rules that forward messages to external addresses (a very common attacker technique)
• Review sent items, deleted items, and any folders for messages the attacker sent or received
• Notify your contacts that your account was compromised
• Enable or re-verify MFA
• Review connected applications and revoke any unauthorized OAuth tokens

6. Browser Redirects and Pop-ups

What it looks like: Web searches redirect to unfamiliar sites. Pop-up windows appear even when the browser is closed. Clicking links takes you to different sites than expected. New tabs open automatically to suspicious URLs.

Why it matters: Browser hijacking can be a sign of adware (annoying but relatively harmless) or something more serious (a compromised DNS configuration, man-in-the-browser malware, or a rogue browser extension capturing your activity). If your DNS has been changed at the network level, every device on your network could be affected.

What to do immediately:

• Check DNS settings on the affected device and on your router/firewall
• Review installed browser extensions and remove anything unauthorized
• Clear browser cache and reset browser settings to defaults
• Run a full malware scan with an updated endpoint protection tool
• If the issue affects multiple devices, investigate your network DNS configuration and router/firewall for unauthorized changes

7. Disabled Security Tools

What it looks like: Antivirus or endpoint protection shows as disabled and cannot be re-enabled. Windows Defender or other built-in security features are turned off. Firewall rules have been modified. Security update services are disabled.

Why it matters: Disabling security tools is one of the first things sophisticated malware does after gaining access. If your security software is disabled and you did not do it, something else did — and that something is likely malicious. This is a high-severity indicator that should be treated as a confirmed compromise until proven otherwise.

What to do immediately:

• Do not attempt to simply re-enable the tools; the malware will likely disable them again
• Disconnect the system from the network
• Boot from a clean recovery environment to scan the system
• This situation almost always requires professional incident response
• Check other systems on the network for the same indicators

8. Data Anomalies and Unexplained Changes

What it looks like: Database records have been modified without audit trail entries. Files have been accessed at unusual times (3 AM on a Saturday). Large data exports or downloads that nobody authorized. Configuration files changed without corresponding change tickets.

Why it matters: Data manipulation and exfiltration are often the actual objective of a breach. Attackers modify records to cover their tracks, access sensitive data for theft or extortion, and export data in bulk for sale or leverage. These anomalies may be subtle and require monitoring tools to detect.

What to do immediately:

• Preserve logs and audit trails before they rotate or are overwritten
• Identify the scope of the changes (which records, which timeframe, which user accounts)
• Determine whether the changes came from legitimate user accounts (compromised credentials) or unauthorized access paths
• Check for data exfiltration by reviewing outbound network traffic logs
• Engage your cybersecurity team or an incident response provider

9. Unusual Outbound Network Traffic

What it looks like: Firewall logs show large volumes of data leaving your network to unfamiliar IP addresses. Network monitoring detects connections to known malicious domains. Bandwidth usage is significantly higher than normal, especially during off-hours.

Why it matters: Outbound traffic anomalies are one of the most reliable indicators of an active breach. Malware communicates with command-and-control (C2) servers, exfiltrates stolen data, and downloads additional tools, all through outbound connections. This traffic often occurs during off-hours when it is less likely to be noticed.

What to do immediately:

• Identify the source systems generating the unusual traffic
• Block the destination IP addresses and domains at the firewall (but be aware this may alert the attacker)
• Capture network traffic for forensic analysis
• Isolate source systems from the network
• Review DNS query logs for connections to suspicious or newly registered domains

10. Locked Out of Your Own Accounts

What it looks like: Cannot log into email, cloud services, or internal systems with your usual credentials. Password resets are not arriving (because the recovery email has been changed). Admin console access has been revoked. Domain registrar or DNS provider login no longer works.

Why it matters: Account lockout is often the endgame of a sophisticated attack. Attackers change credentials and recovery options to lock out legitimate administrators, giving themselves exclusive control. If they have taken over your domain registrar or DNS provider, they can redirect your entire online presence. This is an emergency.

What to do immediately:

• Contact your service providers directly by phone (not email, since email may be compromised)
• Provide proof of identity and ownership to regain account access
• If your domain registrar is compromised, contact the registrar’s abuse team and ICANN
• Change credentials for every service using a known-clean device and known-clean network
• This is a critical incident that requires immediate professional response

11. Unfamiliar Processes and Services

What it looks like: Task Manager or Process Explorer shows processes with unfamiliar names. Services that start automatically but are not associated with known software. Scheduled tasks that were not created by IT. PowerShell or command prompt windows that flash open and close.

Why it matters: Persistent malware installs itself as services, scheduled tasks, or startup processes to survive system reboots. Fileless malware runs entirely in memory using legitimate tools like PowerShell, making it harder to detect with traditional antivirus. Seeing unfamiliar processes, especially those running with system-level privileges, is a strong indicator of compromise.

What to do immediately:

• Document the process names, file locations, and associated user accounts
• Do not terminate the processes yet; doing so can destroy forensic evidence and alert the attacker
• Check the file hashes against threat intelligence databases (VirusTotal is a free resource)
• Review scheduled tasks and startup items for anything unauthorized
• Engage a security professional for analysis before taking remediation action

12. Customer or Partner Complaints

What it looks like: Customers report receiving suspicious emails or invoices from your organization. Business partners say your file-sharing links contain malware. Clients report unauthorized transactions on their accounts. Your website visitors are being redirected to malicious sites.

Why it matters: Sometimes the first indication of a breach comes from outside your organization. This is a worst-case scenario in terms of reputation damage, because your customers and partners are already affected. It also means the breach has been active long enough for attackers to weaponize your systems against your trusted relationships.

What to do immediately:

• Take the complaints seriously and investigate immediately, even if you have not noticed anything internally
• Notify affected customers and partners with honest, specific communication
• Engage legal counsel to understand notification obligations (many states have breach notification laws)
• Conduct a full investigation of all systems the attackers may have accessed
• Prepare public communication if the scope warrants it

What to Do When You Suspect a Breach

If you have identified one or more of these warning signs, here is the general response sequence:

Immediate Actions (First Hour)

1. Contain — Isolate affected systems from the network. Do not power them off (this preserves volatile evidence in memory).
2. Document — Record everything you observe: timestamps, affected systems, specific indicators, actions taken.
3. Escalate — Notify your IT team, management, and your security provider or incident response retainer.
4. Preserve — Do not delete, modify, or “clean up” anything. Forensic evidence is critical for understanding the scope and preventing recurrence.

Short-Term Actions (First 24-72 Hours)

1. Assess scope — Determine how many systems, accounts, and data sets are affected.
2. Engage professionals — If you do not have in-house security expertise, engage an incident response team immediately.
3. Notify stakeholders — Legal counsel, cyber insurance carrier, affected employees.
4. Begin remediation — Only after you understand the scope and the attacker’s access path.

Longer-Term Actions (1-4 Weeks)

1. Complete remediation — Remove all attacker access, close the initial entry point, reset all potentially compromised credentials.
2. Meet legal obligations — Breach notification to affected individuals, regulatory bodies, and law enforcement as required.
3. Conduct a post-incident review — What happened, how it happened, what failed, and what changes will prevent recurrence.
4. Improve defenses — Implement the specific improvements identified in the post-incident review.

When to Call a Professional

Not every suspicious indicator requires a full incident response engagement. But you should call a professional immediately if:

• You see signs of ransomware (encrypted files, ransom notes)
• You are locked out of administrative accounts
• Security tools have been disabled without explanation
• You discover unauthorized data exfiltration
• Customers or partners report being affected
• Multiple warning signs appear simultaneously

Our cybersecurity practice provides incident response, security assessments, and ongoing monitoring for businesses in the NYC metro area. If you are unsure whether what you are seeing is a breach, reach out. A quick assessment is far less costly than an undetected compromise that continues for weeks.

Frequently Asked Questions

How do hackers typically get into business systems?

The three most common entry points are compromised credentials (stolen through phishing or purchased from dark web breach databases), unpatched software vulnerabilities, and social engineering (tricking employees into providing access or installing malware). Email phishing remains the single most common initial attack vector, which is why email security and employee awareness training are foundational defenses.

How long does it take to detect a breach?

The global median dwell time (time from initial breach to detection) varies by study but consistently runs between 10 and 21 days for organizations with some security monitoring in place. Organizations without monitoring may not detect breaches for months. Investing in endpoint detection and response (EDR), network monitoring, and log analysis dramatically reduces detection time.

Should we pay a ransomware demand?

This is a decision that should be made with the guidance of legal counsel, your cyber insurance carrier, and a qualified incident response team. Paying does not guarantee data recovery, may fund further criminal activity, and can create legal complications. In most cases, the best path is to restore from backups and invest in preventing recurrence. However, every situation is different, and the decision depends on factors like backup availability, data sensitivity, and business impact.

What should we do if only one computer seems affected?

Take it seriously. A single affected endpoint may be the visible tip of a larger compromise. Isolate the system, investigate thoroughly, and check other systems on the network for similar indicators. Many breaches start with one compromised endpoint and spread laterally. The cost of over-investigating a false alarm is far less than the cost of under-investigating an actual breach.

How can we prevent getting hacked in the first place?

No defense is perfect, but these fundamentals block the vast majority of attacks: enforce multi-factor authentication on all accounts, deploy modern endpoint detection and response (not just antivirus), patch software promptly, implement email security with phishing protection, train employees to recognize social engineering, maintain tested backups with offsite copies, and monitor your environment for anomalies. Most breaches exploit missing basics, not sophisticated zero-day vulnerabilities.