My social media or email account was hacked — what should I do legally?
Updated · 6 July 2026
Act within hours: report to platform via emergency channels, secure remaining accounts, file complaint at cybercrime.gov.in or call 1930, register FIR under Sections 66/66C/66D IT Act and Sections 318/319 BNS, freeze financial accounts, and engage cyber lawyer. Speed determines recovery success.
What should I do in the first 24 hours?
The first 30 minutes are about damage control. Reset passwords on every related account, change recovery email and phone if the hacker may have access, enable two-factor authentication everywhere, sign out all sessions on the hacked account, update security questions, and audit connected third-party apps to revoke anything suspicious. This closes the escalation window before the attacker pivots to your other accounts.
Platform recovery in the next couple of hours differs by service. Gmail and Google Account recovery runs through accounts.google.com/signin/recovery with multiple identity verification paths using past account data. Facebook and Instagram use facebook.com/hacked with ID verification and SMS or email recovery. For WhatsApp, reinstall the app and verify with OTP — this terminates the hacker's session — then enable the 2-step verification PIN. Twitter/X, LinkedIn, Outlook (account.live.com/acsr), and Yahoo each have their own account recovery forms.
Banking must move within 2 to 4 hours. Call the bank fraud helpline immediately and freeze all savings, credit card and demat accounts. Block UPI through the bank app or *99#. Cancel every card — debit, credit, prepaid. Reset net banking password and reinstall the mobile banking app. Send a written fraud email to the bank for the record. File on the RBI Sachet portal and, critically, call 1930 — the National Cybercrime Helpline for financial fraud can freeze the beneficiary's account within hours if you act fast enough. Government and personal documents need protection in the next few hours: lock Aadhaar biometrics through the UIDAI portal, call 1947 (UIDAI helpline), change PAN and DigiLocker passwords, and update e-Sign accounts. Notify contacts on email and social media that you were hacked so they disregard fraudulent messages. Employer notification matters if a work account was affected — corporate data breach risk.
Evidence preservation is easy to forget but essential. Screenshot the hacker's account modifications, unauthorised posts and messages, sent items, account activity logs and any visible IP addresses. Save email forwarding rules the hacker created. Bank statements showing unauthorised transactions, phone records if SIM swap was involved, carrier records — all become critical for the FIR. File the initial complaint through cybercrime.gov.in with all evidence uploaded, note the reference number, and follow up with a police station FIR the same day or next.
Platform recovery in the next couple of hours differs by service. Gmail and Google Account recovery runs through accounts.google.com/signin/recovery with multiple identity verification paths using past account data. Facebook and Instagram use facebook.com/hacked with ID verification and SMS or email recovery. For WhatsApp, reinstall the app and verify with OTP — this terminates the hacker's session — then enable the 2-step verification PIN. Twitter/X, LinkedIn, Outlook (account.live.com/acsr), and Yahoo each have their own account recovery forms.
Banking must move within 2 to 4 hours. Call the bank fraud helpline immediately and freeze all savings, credit card and demat accounts. Block UPI through the bank app or *99#. Cancel every card — debit, credit, prepaid. Reset net banking password and reinstall the mobile banking app. Send a written fraud email to the bank for the record. File on the RBI Sachet portal and, critically, call 1930 — the National Cybercrime Helpline for financial fraud can freeze the beneficiary's account within hours if you act fast enough. Government and personal documents need protection in the next few hours: lock Aadhaar biometrics through the UIDAI portal, call 1947 (UIDAI helpline), change PAN and DigiLocker passwords, and update e-Sign accounts. Notify contacts on email and social media that you were hacked so they disregard fraudulent messages. Employer notification matters if a work account was affected — corporate data breach risk.
Evidence preservation is easy to forget but essential. Screenshot the hacker's account modifications, unauthorised posts and messages, sent items, account activity logs and any visible IP addresses. Save email forwarding rules the hacker created. Bank statements showing unauthorised transactions, phone records if SIM swap was involved, carrier records — all become critical for the FIR. File the initial complaint through cybercrime.gov.in with all evidence uploaded, note the reference number, and follow up with a police station FIR the same day or next.
What is the FIR procedure for cyber hacking?
File the FIR either at the local police station where you reside, the cybercrime police station in major cities, or the state Cyber Crime Cell. Per Mohit Bharti v. State of UP, a victim can file at place of residence or where the crime occurred — for online crime, anywhere accessible counts. The sections to invoke are broad and stackable: Section 43 IT Act (unauthorised access, with Section 66 for criminal intent), Section 66C IT Act (identity theft, 3 years plus ₹1 lakh fine), Section 66D IT Act (cheating by personation through computer, 3 years plus ₹1 lakh), Section 66E IT Act (privacy violation with intimate images), Section 67 or 67A if the hacker published obscene material, Section 72 IT Act for authorised-person breach, plus BNS Section 318 (cheating), Section 319 (cheating by personation), Section 332 (theft of digital assets), Section 336 (forgery for cheating), Section 351 (criminal intimidation), and POCSO if a minor is involved.
The FIR should contain your full details, the date, time and place of hacking discovery, the accounts compromised (email IDs, social media handles), a specific list of unauthorised activities by the hacker (messages sent, money transferred, contacts deceived, identity used for further frauds), quantified financial loss, any suspected perpetrator identity, platform names and account URLs, the pattern of attack, and enclosed evidence. Police refusal is common; escalate to SP or DCP in writing, approach the state Cybercrime Cell directly, or seek a Section 175(3) BNSS Magistrate's order requiring FIR registration. Cybercrime portal filing runs in parallel; writ petition to the High Court is available for refusal to investigate.
Investigation takes 6 to 24 months typically. The cyber cell traces IP through ISP or telecom records under Section 91 BNSS, obtains platform data through Mutual Legal Assistance Treaty for foreign platforms (slow), pulls bank records for the financial trail, does forensic analysis of compromised devices, and interrogates suspects. Anonymous hackers using VPN or Tor, foreign-based platforms with slow MLAT process, cross-state jurisdictional issues, cryptocurrency trails that are hard to trace, and limited cyber forensics capacity all extend timelines. Track status through RTI to the Investigating Officer or Magistrate's monitoring; the charge sheet is filed before the Magistrate after investigation completes; bail considerations kick in; conviction leads to the punishments prescribed. Victim rights include Section 357 BNSS compensation, state Victim Compensation Schemes, right to private complaint if police are inactive, and presence at trial. Civil compensation runs parallel — the Adjudicating Officer under Section 46 IT Act can award up to ₹5 crore in Section 43 cases, with Civil Court beyond that.
The FIR should contain your full details, the date, time and place of hacking discovery, the accounts compromised (email IDs, social media handles), a specific list of unauthorised activities by the hacker (messages sent, money transferred, contacts deceived, identity used for further frauds), quantified financial loss, any suspected perpetrator identity, platform names and account URLs, the pattern of attack, and enclosed evidence. Police refusal is common; escalate to SP or DCP in writing, approach the state Cybercrime Cell directly, or seek a Section 175(3) BNSS Magistrate's order requiring FIR registration. Cybercrime portal filing runs in parallel; writ petition to the High Court is available for refusal to investigate.
Investigation takes 6 to 24 months typically. The cyber cell traces IP through ISP or telecom records under Section 91 BNSS, obtains platform data through Mutual Legal Assistance Treaty for foreign platforms (slow), pulls bank records for the financial trail, does forensic analysis of compromised devices, and interrogates suspects. Anonymous hackers using VPN or Tor, foreign-based platforms with slow MLAT process, cross-state jurisdictional issues, cryptocurrency trails that are hard to trace, and limited cyber forensics capacity all extend timelines. Track status through RTI to the Investigating Officer or Magistrate's monitoring; the charge sheet is filed before the Magistrate after investigation completes; bail considerations kick in; conviction leads to the punishments prescribed. Victim rights include Section 357 BNSS compensation, state Victim Compensation Schemes, right to private complaint if police are inactive, and presence at trial. Civil compensation runs parallel — the Adjudicating Officer under Section 46 IT Act can award up to ₹5 crore in Section 43 cases, with Civil Court beyond that.
How can hacker be tracked and what recovery is possible?
The digital forensic trail includes IP addresses from platform logs, mobile carrier records for SMS or OTP timing, bank transaction trails, UPI transaction IDs, cryptocurrency wallet addresses, device fingerprints at platform login, and behavioural patterns. Platform data is obtained through Section 91 BNSS (Investigating Officer summons) or a court order to the platform's legal team. MLAT is required for foreign platforms and is slow. Major platforms maintain a law enforcement portal that yields account creation IP and date, login IPs and times, device IDs, registered email and phone, payment instruments used, and connected accounts.
Financial recovery hinges on speed. The RBI 2017 Customer Protection Circular gives zero liability if reported within 3 working days, limited liability at 4-7 days, and full customer liability after 7 days. The bank must shadow-reverse within 10 working days pending investigation. The 1930 helpline can freeze the beneficiary account within minutes if reported quickly. NPCI dispute redressal handles UPI issues. Cyber insurance policies from HDFC ERGO, Bajaj Allianz, ICICI Lombard (premium ₹500-₹10,000 per year, cover ₹1-50 lakh) cover phishing, identity theft and banking fraud. The RBI Banking Ombudsman via cms.rbi.org.in is free and binding on the bank; complaints for a bank refusing customer protection typically succeed.
Account restoration on major platforms usually completes in 24-72 hours if identity is verifiable. Verified accounts (blue tick) restore faster. Backup codes, trusted contacts (Facebook feature) and past account activity all serve as identity proof. Occasionally complete loss is inevitable and a fresh account is the pragmatic answer. Cryptocurrency hacking is the hardest — blockchain analytics can trace transactions, exchange cooperation matters if funds route through a known exchange, FIU-IND complaint applies, but recovery success rates hover between 5% and 15%. SIM swap attacks require an FIR against the telecom operator for KYC compromise, TRAI complaint, and TDSAT tribunal action — telecoms often bear partial liability for KYC negligence. Identity theft restoration involves credit bureau alerts (CIBIL, Experian, Equifax, CRIF), locking credit reports, monitoring for fraudulent loans, notifying the Income Tax Department if PAN is compromised, Aadhaar biometric lock, and NPCI fraud alerts. Civil compensation through the Adjudicating Officer under Section 46 IT Act handles up to ₹5 crore (Section 43 lists 14 grounds including unauthorised access, data theft and virus introduction), Civil Court beyond that. Recovery success rates: 60-80% for bank fraud reported within hours, 50-70% for UPI within 24 hours, 80-90% for social media accounts, 5-15% for cryptocurrency.
Financial recovery hinges on speed. The RBI 2017 Customer Protection Circular gives zero liability if reported within 3 working days, limited liability at 4-7 days, and full customer liability after 7 days. The bank must shadow-reverse within 10 working days pending investigation. The 1930 helpline can freeze the beneficiary account within minutes if reported quickly. NPCI dispute redressal handles UPI issues. Cyber insurance policies from HDFC ERGO, Bajaj Allianz, ICICI Lombard (premium ₹500-₹10,000 per year, cover ₹1-50 lakh) cover phishing, identity theft and banking fraud. The RBI Banking Ombudsman via cms.rbi.org.in is free and binding on the bank; complaints for a bank refusing customer protection typically succeed.
Account restoration on major platforms usually completes in 24-72 hours if identity is verifiable. Verified accounts (blue tick) restore faster. Backup codes, trusted contacts (Facebook feature) and past account activity all serve as identity proof. Occasionally complete loss is inevitable and a fresh account is the pragmatic answer. Cryptocurrency hacking is the hardest — blockchain analytics can trace transactions, exchange cooperation matters if funds route through a known exchange, FIU-IND complaint applies, but recovery success rates hover between 5% and 15%. SIM swap attacks require an FIR against the telecom operator for KYC compromise, TRAI complaint, and TDSAT tribunal action — telecoms often bear partial liability for KYC negligence. Identity theft restoration involves credit bureau alerts (CIBIL, Experian, Equifax, CRIF), locking credit reports, monitoring for fraudulent loans, notifying the Income Tax Department if PAN is compromised, Aadhaar biometric lock, and NPCI fraud alerts. Civil compensation through the Adjudicating Officer under Section 46 IT Act handles up to ₹5 crore (Section 43 lists 14 grounds including unauthorised access, data theft and virus introduction), Civil Court beyond that. Recovery success rates: 60-80% for bank fraud reported within hours, 50-70% for UPI within 24 hours, 80-90% for social media accounts, 5-15% for cryptocurrency.
What preventive measures should I take?
Authentication first. Use unique passwords for every account, a password manager (1Password, Bitwarden, LastPass), and 2FA everywhere — authenticator app (Google Authenticator, Authy) is preferable to SMS OTP which is vulnerable to SIM swap. Hardware keys (YubiKey) protect critical accounts. Passkeys where supported are the newest and safest option. Email hygiene matters: separate emails for banking, social media, subscriptions and personal communication; avoid clicking suspicious links; verify senders on any financial or personal information request; hover to check the real link destination; be alert to slight variations in "from" addresses; filter rules for known phishing patterns.
Phishing awareness is the single biggest defence. Legitimate banks never ask for password, OTP or PIN. Never share OTP with anyone including "bank" callers. Voice and IVR fraudsters mimic bank customer service. SMS phishing (smishing) and QR code fraud are common vectors; scan only known QR codes. UPI payment requests from unknown numbers are always fraud attempts. "KYC update" calls are almost universally fraud. Device security requires updated OS and apps, endpoint protection, avoiding public Wi-Fi for sensitive transactions, VPN on untrusted networks, phone PIN plus biometric, remote wipe enabled, encrypted backups, avoiding root or jailbreak, and sandboxing banking apps.
Account hygiene means quarterly review of connected apps, revoking unused permissions, checking active sessions, alert preferences on for all account changes, recovery email or phone verified and accessible, backup codes generated and stored safely, privacy settings reviewed, and old or unused accounts deleted. Financial security uses transaction alerts on all accounts, conservative daily and per-transaction limits, multiple bank accounts with a small operating account and larger savings kept separately, credit cards for online purchases (more protection than debit), virtual cards for one-time purchases, card tokenisation (RBI direction) instead of saving card details on every site, and a separate UPI ID for high-value transactions. SIM protection includes a port-out PIN with the telecom operator, an eight-digit SIM PIN, monitoring SIM status, and telecom operator fraud alerts. Identity document protection uses Aadhaar biometric lock plus OTP lock, masked Aadhaar when sharing, avoiding Aadhaar copies in unverified places, VID for KYC where possible, and 2FA on the Income Tax e-filing portal. Social media hygiene: keep birth year and mother's name private (they are common security question answers), turn off location services on posts, limit friend list visibility, verify friend requests, and watch for clone profiles. Cyber insurance at ₹500-₹10,000 premium is worth the peace of mind. Monthly bank statement review, quarterly connected-apps audit, and annual password rotation is the baseline discipline.
Phishing awareness is the single biggest defence. Legitimate banks never ask for password, OTP or PIN. Never share OTP with anyone including "bank" callers. Voice and IVR fraudsters mimic bank customer service. SMS phishing (smishing) and QR code fraud are common vectors; scan only known QR codes. UPI payment requests from unknown numbers are always fraud attempts. "KYC update" calls are almost universally fraud. Device security requires updated OS and apps, endpoint protection, avoiding public Wi-Fi for sensitive transactions, VPN on untrusted networks, phone PIN plus biometric, remote wipe enabled, encrypted backups, avoiding root or jailbreak, and sandboxing banking apps.
Account hygiene means quarterly review of connected apps, revoking unused permissions, checking active sessions, alert preferences on for all account changes, recovery email or phone verified and accessible, backup codes generated and stored safely, privacy settings reviewed, and old or unused accounts deleted. Financial security uses transaction alerts on all accounts, conservative daily and per-transaction limits, multiple bank accounts with a small operating account and larger savings kept separately, credit cards for online purchases (more protection than debit), virtual cards for one-time purchases, card tokenisation (RBI direction) instead of saving card details on every site, and a separate UPI ID for high-value transactions. SIM protection includes a port-out PIN with the telecom operator, an eight-digit SIM PIN, monitoring SIM status, and telecom operator fraud alerts. Identity document protection uses Aadhaar biometric lock plus OTP lock, masked Aadhaar when sharing, avoiding Aadhaar copies in unverified places, VID for KYC where possible, and 2FA on the Income Tax e-filing portal. Social media hygiene: keep birth year and mother's name private (they are common security question answers), turn off location services on posts, limit friend list visibility, verify friend requests, and watch for clone profiles. Cyber insurance at ₹500-₹10,000 premium is worth the peace of mind. Monthly bank statement review, quarterly connected-apps audit, and annual password rotation is the baseline discipline.
What about business and corporate account hacking?
Corporate incidents trigger mandatory reporting. The CERT-In Directions of April 2022 require reporting cyber incidents within 6 hours. The DPDPA 2023 Section 8(6) requires notifying the Data Protection Board and affected data principals of personal data breach. RBI directives set 2-6 hour reporting timelines for banks and financial institutions. SEBI Cyber Security Framework mandates 24-hour reporting for listed companies and intermediaries. IRDAI covers insurers, TRAI covers telecom, and stock exchange disclosures are required for material cyber incidents at listed companies.
Internal incident response requires a functioning Incident Response Plan and Computer Security Incident Response Team activation. Immediate steps: containment (isolate affected systems), eradication (remove malware, close vulnerabilities), recovery (restore from clean backups), forensic preservation (do not destroy evidence), coordinated internal, external and regulatory communication, and post-incident review. Legal obligations to affected parties under DPDPA 2023 require notifying data principals "without undue delay" in the form and content prescribed by the Data Protection Board Rules; mitigation steps must be communicated, and offering free credit monitoring is common in personal data breaches.
Reporting channels include CERT-In (cert-in.org.in incident reporting form), sector-specific CSIRTs (Banking CSIRT, Power CSIRT, Defence CSIRT), the Data Protection Board under DPDPA, sectoral regulators (RBI, SEBI, IRDAI, TRAI), NCIIPC for critical information infrastructure, stock exchange for listed companies, and local police or cyber crime cell. Liability exposure under DPDPA is significant: up to ₹250 crore for a personal data breach, up to ₹200 crore for failure to notify the Board, up to ₹250 crore for failure to take reasonable safeguards. IT Act Section 43A (until DPDPA fully replaces) covers reasonable security practices with unlimited compensation under negligence. Civil class actions from affected customers, director's personal liability under Section 85 IT Act, and securities law consequences for failure to disclose material events all compound the risk. Cyber insurance for corporates covers forensic investigation, legal defence, regulatory penalties (subject to law), customer notification, credit monitoring, PR management, business interruption, data restoration, and ransomware payments (controversial). Premiums scale from ₹50,000 to ₹50 lakh annually. Ransomware specifics: do not pay if avoidable (funds crime, no guarantee of recovery), restore from backups if available, engage CERT-In and law enforcement, use MLAT for cross-border cooperation, and consider tax and insurance implications of ransom. Insider threat is a common vector — background checks, access controls and segregation, careful termination procedures, and mandated cyber-awareness training under various frameworks reduce risk. Post-incident process improvement typically involves ISO 27001, SOC 2, RBI Cyber Security Framework or sector-specific certifications, plus stakeholder trust rebuilding through comprehensive PR and customer communication.
Internal incident response requires a functioning Incident Response Plan and Computer Security Incident Response Team activation. Immediate steps: containment (isolate affected systems), eradication (remove malware, close vulnerabilities), recovery (restore from clean backups), forensic preservation (do not destroy evidence), coordinated internal, external and regulatory communication, and post-incident review. Legal obligations to affected parties under DPDPA 2023 require notifying data principals "without undue delay" in the form and content prescribed by the Data Protection Board Rules; mitigation steps must be communicated, and offering free credit monitoring is common in personal data breaches.
Reporting channels include CERT-In (cert-in.org.in incident reporting form), sector-specific CSIRTs (Banking CSIRT, Power CSIRT, Defence CSIRT), the Data Protection Board under DPDPA, sectoral regulators (RBI, SEBI, IRDAI, TRAI), NCIIPC for critical information infrastructure, stock exchange for listed companies, and local police or cyber crime cell. Liability exposure under DPDPA is significant: up to ₹250 crore for a personal data breach, up to ₹200 crore for failure to notify the Board, up to ₹250 crore for failure to take reasonable safeguards. IT Act Section 43A (until DPDPA fully replaces) covers reasonable security practices with unlimited compensation under negligence. Civil class actions from affected customers, director's personal liability under Section 85 IT Act, and securities law consequences for failure to disclose material events all compound the risk. Cyber insurance for corporates covers forensic investigation, legal defence, regulatory penalties (subject to law), customer notification, credit monitoring, PR management, business interruption, data restoration, and ransomware payments (controversial). Premiums scale from ₹50,000 to ₹50 lakh annually. Ransomware specifics: do not pay if avoidable (funds crime, no guarantee of recovery), restore from backups if available, engage CERT-In and law enforcement, use MLAT for cross-border cooperation, and consider tax and insurance implications of ransom. Insider threat is a common vector — background checks, access controls and segregation, careful termination procedures, and mandated cyber-awareness training under various frameworks reduce risk. Post-incident process improvement typically involves ISO 27001, SOC 2, RBI Cyber Security Framework or sector-specific certifications, plus stakeholder trust rebuilding through comprehensive PR and customer communication.
Reference Citation: Information Technology Act, 2000 (Sections 43, 66, 66C, 66D); Bharatiya Nyaya Sanhita, 2023; Digital Personal Data Protection Act, 2023; CERT-In Directions, April 2022
Disclaimer: Content provided here is for general legal knowledge only and does not constitute formal legal advice. If you have an urgent or specific matter, please consult a registered advocate.