"My account was hacked" is a phrase heard often, but legally it does not tell the whole story. It may mean that someone found your password and entered your email. It may mean that they changed the recovery phone on Instagram. It may mean that they read private messages, sent scams to your friends, took files from cloud storage, made purchases, opened a loan, withdrew money from an account or leaked customer data.
That is why the first question is not only "is it a criminal offense?". The correct question is: what exactly did the other person do inside the account? Did they enter without permission? Read communications? Copy data? Change passwords? Blackmail you? Cause financial loss? Use your account to deceive third parties?
First security, then orderly evidence
Do not delete evidence in a hurry and do not answer the perpetrator. Secure the main email, keep URLs, alerts, screenshots and reference numbers, and move through official channels when there is loss or blackmail.
The answer matters for two reasons. First, different acts may activate different criminal provisions. Second, evidence disappears quickly: sessions close, IPs are not visible to the user, profiles change name, messages are deleted, notifications vanish. If you act correctly in the first hours, the file becomes much clearer.
The practical conclusion is simple: secure the account first, keep evidence without altering it and then contact the platform, the bank where there is a financial issue, the Cyber Crime Division or a lawyer when the loss or risk is serious.
When "my account was hacked" may be a criminal offense
In everyday language we say "hacking" for many different things. In criminal law, however, the label is not punished; the specific act is. Unauthorized access to a system or data is different from violation of communication confidentiality. Deleting files is different from computer fraud. Possessing or trafficking access passwords is different from simply using an account left open on a shared computer.
The following table is not a legal opinion. It is a practical map to understand how one thinks about the case.
| What happened | Possible legal direction | What it means practically |
|---|---|---|
| Someone entered email, social, cloud or a corporate account without permission | Illegal access to an information system or data, especially under article 370B of the Criminal Code | The substance is that they had no right to enter or exceeded the permission they had |
| They read email, messages, chats or communication files | Possible involvement of provisions on confidentiality of communications and privacy protection | The gravity changes when we are not talking only about login, but about reading private communications |
| They changed password, recovery email, 2FA or locked you out | Illegal access, alteration of data or obstruction of operation depending on the act | Keep alerts about changed details and the time you lost access |
| They deleted files, changed content, uploaded fake posts or harmed a system | Possible provisions on data and information systems, depending on the damage | Do not fix everything before keeping evidence |
| They sent messages to friends or clients asking for money | Possible computer fraud or other fraud, depending on the path | Screenshots of conversations and payment details are needed |
| They obtained card details, OTPs, passwords or made transactions | Criminal and banking dimension, possible unauthorized payment transaction | Contact the bank immediately and keep the request number |
| Personal data of customers or partners were exposed | Criminal, civil and GDPR dimension | In a professional account there may be an obligation to record and notify the incident |
The important point is not to confuse the technical cause with the legal consequence. It may have been phishing, meaning you gave the password to a fake page. A session cookie may have been stolen. An old password from a breach may have been used. The account may have remained logged in on someone else’s device. These details affect proof, not necessarily whether an unlawful act occurred.
The first 30 minutes
When you realize something is wrong, it is normal to panic. Do not start, however, with a public post saying "I was hacked". Start with damage control.
First secure the main email. Almost all other accounts hang from it. If the perpetrator controls the recovery email, they can regain access to social media, cloud, marketplaces and banking notifications. Change the password from a safe device. Check whether unknown recovery emails or phones have been added. Review active sessions and disconnect all unknown devices.
Then activate or reset strong two-factor authentication. Prefer an authenticator app or passkey where supported. If you use SMS, check whether there has been a number change or suspicious SIM transfer. Download backup codes and keep them outside the account that was just compromised.
If there is a financial dimension, call the bank or payment provider immediately. Do not simply send an email. Ask for card blocking, e-banking review, transaction dispute and an incident number. If money was sent to a third-party account, ask for an immediate recall process or notification to the beneficiary’s bank, where feasible.
Finally, inform people close to you if the perpetrator is sending messages from your account. Do not write details that reveal new security information. A simple message from another channel, such as "do not answer messages from my account and do not send money", is enough for the first hour.
Before they disappear: what evidence should I keep?
The most common mistake is that the victim tries to "clean" everything immediately. They delete messages, remove posts, close conversations, change details without recording the previous state. It is understandable, but it may weaken the evidence.
You do not need to remain exposed in order to keep evidence. You need to act in an organized way. Before making major changes, keep whatever you can from a safe device.
| Evidence | Why it has value | How to keep it better |
|---|---|---|
| Login or password-change notifications | They show time, device, country or IP where displayed | Keep the email, not only a screenshot. If possible, save it as a file with headers |
| Active sessions page | Shows unknown devices and recent access | Screenshot with date, time, URL and account name |
| Messages sent by the perpetrator | Show use of the account and possible fraud | Full screenshots of the conversation, not only the last message |
| Changes to email, phone, 2FA | Show account takeover | Keep alerts, ticket IDs and security notifications |
| Transactions, IBAN, wallet, receipts | Show damage and money path | Download documents and note reference numbers |
| URLs, usernames, profile IDs | Names change; links remain more useful | Copy the exact URL, not simply "it was that person" |
| Timeline of events | Connects all evidence into one narrative | Make a list: when you noticed it, what you saw, what you did |
In screenshots, where possible, include the visible system date and time. Do not cut off the page URL. Do not hide the entire profile or username of the perpetrator. If, however, banking details, card numbers, full personal data of third parties or sensitive documents appear, keep them for the authorities or the lawyer and do not publish them.
For email, it is useful to keep the original message, not only a photo of it. Headers may contain technical information about the email route. This does not mean that the citizen must analyze them alone, but it is better that they are not lost.
What not to do
Do not try to "hack back". Even if you believe you know who it is, retaliation can put you in legal and technical danger. Do not buy supposed recovery services from strangers who write to you in comments. Many such profiles are a second fraud on the same victim.
Do not send anyone passwords, OTPs or backup codes. No serious platform, bank or police authority needs you to tell them your password in order to help you. Do not pay ransom to regain access to a social account unless there has first been serious technical and legal assessment. Usually there is no guarantee that you will get the account back or that they will not ask for more.
Do not publicly name a person without evidence. The fact that an account had someone’s name does not mean that person is the perpetrator. They may also be a victim. A public accusation without documentation may open a second problem, such as defamation or violation of personal data.
When to contact the Cyber Crime Division
If there is a simple suspicion without damage, start with account recovery and security. If, however, there is illegal access, blackmail, financial loss, threat, leakage of personal data, use of the account for scams or involvement of a minor, the case should not remain only as a platform report.
In Greece there is a possibility to submit a complaint through gov.gr for cases of computer fraud and cybercrime. The National Registry of Administrative Procedures also records a complaint procedure for cybercrimes. Public guidance also lists communication channels with the Cyber Crime Division, such as telephone line and email.
The complaint does not need to be perfect in order to be made. It does need to be specific. Instead of "I was hacked", write:
- which account was compromised,
- when you noticed it,
- what exactly changed,
- whether money or data were lost,
- which links, usernames, emails, IBANs or wallet addresses appeared,
- what you have already done with the platform and bank,
- which evidence files you keep.
If the case involves serious financial loss or a known suspect, speak with a lawyer before making public moves. For certain offenses and claims there are deadlines, forms and options that are not visible from a general online guide.
If the account is professional
A hacked personal account is serious. A hacked professional account can be even more complex. If we are talking about corporate email, accounting software, CRM, e-shop, cloud with contracts, orders or customer data, changing the password and continuing is not enough.
Practical questions must be answered:
- Which data were accessible?
- Were there personal data of customers, employees or partners?
- Is there an indication that they were copied or transferred?
- Did the perpetrator send email from a corporate address?
- Was there business email compromise, meaning a changed IBAN on an invoice or a fake payment instruction?
- When did the incident start and when did it stop?
Under the GDPR there is an obligation for HDPA - personal data breach notification to the competent supervisory authority when the breach is likely to result in a risk to the rights and freedoms of natural persons. In some cases there is also an obligation to inform the data subjects themselves. The Hellenic Data Protection Authority has a relevant information section on notification of a breach incident.
This does not mean that every suspicious login automatically becomes a notification. It does mean, however, that the business must assess it, record it and not rely on the hope that "nothing happened". For professional accounts, technical investigation and legal documentation must run together.
Practical examples
| Scenario | What I do first | What I keep |
|---|---|---|
| Access to Instagram was lost and email/phone changed | Recovery through the official help flow, email check, password changes on connected accounts | Change alerts, username, profile URL, time access was lost, platform ticket |
| Someone entered Gmail and read/deleted emails | Password change, device sign-out, check forwarding rules and filters | Login activity, suspicious forwarding rules, recovery emails, devices |
| Friends received messages from you asking them to send money | Public warning through another channel, report, password change | Friends’ screenshots, payment accounts, time messages were sent |
| Professional email was hacked and IBAN changed on an invoice | Immediate communication with banks, client and technical team | Email headers, original and fake invoice, logs, communication with client |
| Customer files were exposed from cloud | Cut off access, change credentials, GDPR assessment | List of files, users with access, logs, incident report |
Checklist for citizens
- I change the password on the main email from a safe device.
- I disconnect unknown devices and check active sessions.
- I activate or reset 2FA.
- I check recovery email/phone, forwarding rules and connected apps.
- I keep screenshots, URLs, emails, alerts, transactions and a timeline.
- I inform the bank if payment details or financial loss are involved.
- I make an official report to the platform.
- I inform friends or clients if the account is sending scams.
- I submit a complaint to the authorities when there is illegal access, loss, blackmail or serious leakage.
- I seek legal/technical help when the case is professional, financially significant or concerns personal data of third parties.
Frequently asked questions
Is it always a criminal offense if someone entered my account?
There can often be a criminal dimension, but we need to see how they entered, whether they had permission, what they did after entering and whether loss or violation of communications/data occurred. The simple phrase "entered my account" needs facts.
If I once gave them the password, but now they entered without permission?
Old consent does not mean permanent permission for every future access. If someone uses an old password while knowing they no longer have the right, the case may be assessed differently. Keep evidence that the access took place without current permission.
Are screenshots enough?
Screenshots are useful, but not always sufficient. It is better to also keep original emails, URLs, export files where possible, payment evidence and ticket IDs. The closer the evidence is to the original source, the better.
Can I ask the platform for the perpetrator’s IP?
Usually platforms do not provide such data directly to the user for security and data-protection reasons. They may, however, preserve them and provide them within lawful procedure, if requested by the competent authority.
Should I complain first or change passwords first?
First you limit the damage: change passwords, block payments and disconnect unknown devices. At the same time you keep evidence. The complaint follows with a clearer file.
What if scam messages were sent to my friends?
Notify them immediately through another secure channel not to send money and not to click links. Ask them to send you screenshots of the messages, with time and profile. If someone lost money, they too must move toward the bank and authorities.
What changes if a professional email was hacked?
Corporate obligations are added: system review, informing clients where needed, assessment of personal-data breach, possible notification to the HDPA and risk management for invoices, payments and confidential information.
Does it make sense to complain if I do not know who it is?
Yes, especially when there is financial loss, blackmail, data leakage or use of the account for scams. Many cases start without a known perpetrator. Technical data and payment paths may gain value later.
Practical conclusion
A hacked account is not only a technical problem. It is a problem of access, evidence, identity, property and personal data. If you treat it only as "changing a password", you may leave behind financial loss, scams against third parties or legal obligations you did not see in time.
The correct order is: security, evidence, report, institutional action. I secure the account. I keep evidence without altering it. I inform the bank or platform where needed. I submit a complaint when there is an offense or serious loss. And I seek specialized help when the case touches professional data, money, minors or blackmail.
This article is general information. It does not replace individualized legal advice and cannot by itself determine whether your case needs a criminal complaint, lawsuit, interim measures, technical expert report or data breach notification.
Sources and useful references
- Ministry of Justice, Codes and Criminal Code: Ministry of Justice - Codes
- gov.gr, complaints to the Hellenic Police for computer fraud: gov.gr - complaint for computer fraud
- National Registry of Administrative Procedures, complaint for cybercrimes: https://mitos.gov.gr/index.php/ΔΔ:Καταγγελία_για_εγκλήματα_κυβερνοχώρου
- National Cybersecurity Authority, recommendations for citizens: https://cyber.gov.gr/antimetopisi-apeilon/systaseis-pros-polites/
- HDPA, data breach notification: HDPA - breach notification
- GDPR, Regulation (EU) 2016/679: https://eur-lex.europa.eu/legal-content/EL/TXT/?uri=CELEX%3A32016R0679
- Google Account Help, secure a hacked or compromised account: Google - account recovery
- Microsoft Support, recover a hacked or compromised Microsoft account: https://support.microsoft.com/account-billing/how-to-recover-a-hacked-or-compromised-microsoft-account
- Facebook Help, hacked account flow: Facebook - hacked account recovery
- Instagram Help, hacked account: Instagram - account recovery
- Pexels cover reference, cottonbro studio: https://www.pexels.com/photo/laptop-with-cyber-security-text-on-the-screen-5483240/
Comments
Share your thoughts about this article.
No comments yet. Be the first to comment.
Submit a comment