How To Tell If My Mac Is Being Hacked

Sep 10, 2016  OS X Lion- Protect your Mac from malware. OS X Mountain Lion- Protect your Mac from malware. About file quarantine in OS X. If you require anti-virus protection Thomas Reed recommends using Dr.Web Light from the App Store. It's free, and since it's from the App Store, it. Find out if someone has accessed your MacBook's camera. Get notified when your MacBook's iSight camera is being used to keep hackers from spying on you. May 30, 2020  How To Tell If Mac Was Hacked First, scan your Mac with an antimalware solution. Next, turn off remote desktop and screen sharing features to make sure that nobody can connect to your Mac remotely. Verify that there are no keyloggers.

This post may contain affiliate links. As an Amazon Associate I earn from qualifying purchases made on our website. If you make a purchase through links from this website, I may earn a commission at no additional cost to you. Read my full disclosure.

Do you think that your Mac was hacked? Do you feel that someone or something is spying on you when you are watching YouTube, or when your Mac is left unattended at home?

There are many ways how a human or a program can get on your computer and do harm to you and your privacy:

  • It could be a spyware, a malicious hacker, or someone you know, such as a parent, a spouse, a friend.
  • They can access your photos, videos, and emails
  • They can take embarrassing pictures of you using a webcam
  • They can listen and record your conversations
  • They can monitor your browsing history
  • They can use your computer to mine Bitcoins
  • They can encrypt everything on your disk and then ask for a ransom

Computers have never been safe, and now when we rely so much on them, it is extremely important to protect ourselves from malicious actors.

This topic is too broad to fit into one blog post, so I am writing mini-series, which will help you to minimize the impact and secure your Mac.

Signs That Your Mac Was hacked

If you are reading this post, chances are you noticed something unusual is happening on your Mac. Sometimes you have a hunch, but you can’t explain it. However, most of those signs can be explained by reasons other than malware or hackers. So, let’s review the major signs.

Mac suddenly became slow for no apparent reasons

I’ve been developing commercial software for more than twenty years. There were many times when I received a call from the customer complaining that their computers, servers, programs are slow.

Every time I am getting a call, the first thing I ask if they did something before they noticed the problem. Do you know how many times they admitted that they changed something? You guessed it, zero. How many times did customers cause the problem? Almost always.

Following are some of the reasons why Mac can be slow:

  • There is a virus or other malware
  • Not enough disk space on Mac
  • New OS was installed
  • Hardware failure
How To Tell If My Mac Is Being Hacked

Mac is using more Internet than usual

This one is harder to detect now than before. We used to have limits on how much Internet bandwidth we could use. Today, when many people have unlimited data with cable, you may not even know that something is happening.

However, if you are on a limited plan, and you see a significant increase in data consumption (more than 25% more), it’s time to investigate.

The reasons could be the following:

  • Your Mac is being used as a bot by hackers
  • There is a virus or other malware
  • Your little one grew up and now watching YouTube all day on your computer
  • New OS was installed
  • Youtube and other web sites are taking forever to load

Similar to the previous sign, problems with the Internet could be a sign pointing to a virus or adware affecting the browser. Or it could be a new browser update. Or maybe the system became unstable.

Programs crashing more often

Did you notice that apps getting stuck and eventually crashing? Very often, it’s a sign of malware. Additional reasons for frequent app crashes are the following:

  • Lack of memory (RAM)
  • Lack of disk space
  • Temporary system instability
  • Hardware failure
  • Unusual pop-ups in the browser

This is something we all have seen. You download an app from the Internet and seems like it was a legit software. But little did you know a good app was bundled with bloatware.

How

Usually, the result is that your default search engine gets changed from Google to Yahoo, the home page changes, and there are additional icons in the browser toolbar. But there could be other issues such as adware.

Adware is trying to redirect you to other sites, not related to what are you searching for. Their goal is direct traffic to certain sites. More traffic, more money they get. So, they litter your screen with pop-up, hoping that you can click and open the site you don’t want.

New files appear or old files disappear

Malware often creates new files with cryptic names. For instance, ransomware encrypts the files on your disk and renames them. However, there could be more innocent explanations.

For instance, if you can’t find a file, it does not necessarily mean that it was deleted by malware or someone who logged in on your computer remotely. Maybe, you just can’t remember that you deleted the file or the folder. In this case, first, check Trash on Mac.

If you still can’t find what you need, check my post about finding any files. I guarantee, if the file is still on your Mac after reading my post, you will be able to locate it.

How To Tell If Mac Was Hacked

First, scan your Mac with an antimalware solution. Next, turn off remote desktop and screen sharing features to make sure that nobody can connect to your Mac remotely. Verify that there are no keyloggers. Finally, eliminate reasons unrelated to hacking: reboot Mac, perform NVRAM/PRAM reset, check if there is enough space on the startup disk. If possible, visit the Apple Genius Bar for advice.

Now, let’s go over all the above in detail.

Scan Mac for viruses

I recently called Apple Support and complained about the slowness of my MacBook Pro. I could’ve solved the problem myself, but I just wanted how much would it cost for Apple to perform diagnostics on a 5-year old MacBook.

Since I don’t have AppleCare for my Mac, I thought that they would charge me something. Spoiler alert: I wasn’t charged for anything.

So, when I called, the first thing the Apple advisor made me do is to install the Malwarebytes app.

While Malwarebytes is a solid recommendation for scanning, it is not the best. In fact, I stopped recommending it to any Mac user after the test I performed myself recently.

I tested a dozen of antimalware product and only one detected 100% of 117 malware samples I intentionally downloaded on my MacBook. So, if you need a recommendation on a good antivirus check it here.

Tighten up access to your Mac

Programs are not the only threat out there. People sometimes can be even more harmful. There are several ways for someone to spy after you.

One is via remote desktop. Maybe you had experience connecting to servers or other Windows machines at work by remote desktop connection. Macs, even MacBooks, also allow such connections.

Also, it is possible to share the screen of your laptop. While it’s a useful feature, if you mean it, it’s not so good if someone’s using it when you are not aware.

And finally, since macOS has UNIX roots, as any UNIX like the operating system, it can be controlled via SSH protocol. Anyone with access can do pretty much anything on your Mac, and you wouldn’t even know.

If all of the above sounds complicated, don’t worry. I wrote a very detailed post on a topic of remote access to your Mac (https://macmyths.com/how-to-tell-if-someone-is-remotely-accessing-your-mac/). All you need is to go over the post and follow the simple steps outlined there.

Mac keyloggers

For a long time, I thought that all keyloggers could do to record keyboard strokes. Imagine my shock when I started working on my post about keyloggers.

Did you know that a new generation of keyloggers can do screenshots every 5 seconds, or record your messages and social media chats? And they can upload the collected information to the cloud.

And the worst part they are freely available for anyone to purchase!

How To Know If My Mac Is Hacked

To find out how one can identify a keylogger on Mac I installed 5 most popular apps on my laptop. They completely trashed my system, but luckily I had backups, so I was able to recover my MacBook.

Things to try if no virus found

While you are maybe suspecting something bad happening on your computer, it very well may be a normal condition.

Things to try before starting panicking:

Reboot

Sometimes glitches in software can make the current state of your system unstable. A reboot is still a remedy for many problems. You can either restart or shutdown and start again. The effect will be the same.

NVRAM/PRAM reset

Macs historically have a little memory cell where they store some information needed for many Mac peripherals to work. Surprisingly, this area gets corrupt pretty often. Fortunately, there is a very simple fix – reset NVRAM/PRAM and SMC.

Apple has very good instructions on how to perform these tasks.

What they don’t tell is that you have to reset at 2-3 times in a row for a fix to work. I found out this in the school of hard knocks so that you don’t need to.

Clear some space on disk

Lack of space on your startup disk may cause all kinds of issues: app slowdown, app crashes, high CPU usage, and MacBook overheating. Sometimes this may lead you to suspect that your Mac was hacked.

So, first, check how much storage you have left. And if it is not enough, you can either spend money on getting software that helps to clean your disk or read my article on free cleaning tips: How Do I Free Up Disk Space On My Mac Without Software.

New operating system

Apple releases a new version of macOS every year. While they do everything they can to produce quality software, bugs still happen.

For instance, after the recent iOS update on my iPhone, my podcast app starts freezing every time I pause. I still didn’t find why it is happening because I am too lazy busy.

In the case of the issue on hand, if you had a recent OS update, take time to investigate if the issues you are noticing are common for the release.

Check for hardware failure

Macs are very dependable, and they can serve for many years. However, any hardware gradually fails. For example, a failing disk causes unexplained app crashes. Failed RAM will prevent the computer from starting.

There is a good article on the Apple web site about running hardware diagnostics. Try and see what it will report.

Visit Apple Genius Bar

If you have an Apple store nearby, definitely check them out. On several occasions, I had to contact them, they helped me for free. If there is a fee for diagnostics, they should tell you upfront, so you can decide if it’s worth it for you or not.

5 Things To Do If Your Mac Was Hacked

So, you did everything I told you, and you found out that either someone spying or if there was malware on your Mac. There are several things you have to do immediately.

Change passwords

I know it could be painful to change all passwords. I have accounts on hundreds of web sites, and there is no way I could remember all of them. Well, this is not what I am suggesting.

You have to change passwords on the most important sites:

  • Your primary email account. The one that is linked to your bank accounts.
  • Bank and credit card accounts
  • Work email password
  • Apple ID and iCloud passwords (note, they are not the same)

If you are using one password for all sites, consider using 1Password utility.

Check bank statements

It never hurts to go over your bank statements (if you have any) once a while. If you notice some suspicious activity, then do a little research. But don’t panic right away if you don’t recognize a charge.

Almost every once, when I check my credit card statements, I see one or more charges which I don’t remember doing. However, after 5 minutes or so, I remember what it was.

Check credit report

Everyone in the U.S. has a right to get a free credit report once a year. Since there are three main agencies, you can get a free report three times a year (one from each agency). Search for “Annual Credit Report” in Google, but be careful to skip some ads and use the legit site.

Turn on Two-Factor Authentication

If you didn’t do this yet, turn on two-factor authentication on main sites: email, any money sites, etc. It’s a little bit inconvenient, but it’s the best way to prevent hackers from stealing your data.

What’s Next?

I hope I gave you some high-level information you needed in case if you think that your computer was hacked. Now, I suggest to check the articles I mentioned above in the following order, so you know how to deal with the problems outlined:

Last Updated on

This post may contain affiliate links. As an Amazon Associate I earn from qualifying purchases made on our website. If you make a purchase through links from this website, I may earn a commission at no additional cost to you. Read my full disclosure.

You turn on your MacBook and feel that something is wrong: some files have disappeared, or new files were added. You wonder if someone has been watching your computer.

So, how to tell if someone is remotely accessing your MacBook? You need to check your logs, verify that no new users were created, make sure that remote login, screen sharing and remote management are disabled, and no spyware is running on your computer.

First things first. If you suspect that someone is controlling your laptop and if there is a chance that they watching you thru the webcam immediately apply a cover on laptop’s webcam. You can find my favorite webcam covers here.

What is remote access and how is it configured on MacBooks?

There are three ways to access MacOS remotely: allow remote logins from another computer, enable Screen Sharing or allow access by using Remote Desktop. Both ways are legitimate, but if you don’t remember doing any of them you need to know how to turn on and off those possibilities.

Remote login to MacOS

How To Know If My Mac Has Been Hacked

Computers that run MacOS as an operating system can log in to your Mac using Secure Shell (SSH). Steps to enable remote login are the following:

  1. Go to System Preferences. You can get there by clicking on the apple icon on the left of the top bar. After you clicked on apple icon you will see a drop-down menu where you should click on System Preferences menu item.
  2. Find Sharing folder and double click. Click on Remote Login checkbox on the left.
  3. Now you have the option to allow access either for all user or only specific users.

Once Remote Login is enabled then users with access can use SSH to log in and browse your computer’s contents.

Access to Mac screen using Screen Sharing

If you need help from IT to make changes on your MacBook or maybe you are collaborating on a project and want to share your screen you can enable Screen Sharing. Steps to enable as follows:

  1. Go to System Preferences.
  2. Find Sharing folder and double click. Click on Screen Sharing checkbox on the left.
  3. Allow access either for all user or only specific users.

Now on another Mac (from which you want to access to your Mac) start Screen Sharing app. You can start it by clicking Command and Space buttons. In a popup form type Sharing and hit Enter. Type your computer name. In my case, I had to type in “dev-pros-MacBook-Pro.local”.

A new window will pop up with the shared screen of another computer. Now you can control the screen.

Remote Desktop with Remote Management

Finally, it is possible to login to a computer with MacOS by enabling Remote Desktop. Steps to enable as follows:

  1. Go to System Preferences.
  2. Find Sharing folder and double click. Click on Remote Management check box on the left.
  3. Allow access either for all user or only specific users.
  4. There will be different Sharing options where you can fine-tune the type of access to allow: observe, change settings, delete, copy and even restart the computer.

Now you can access this Mac from Apple Remote Desktop – it’s an application you can buy from Apple Store and at the time of writing it’s cost was $79.99.

If your Mac is being monitored, it will show this image (two rectangles) in the top right-hand corner near your computer time:

When that symbol appears, you will be able to tell if you are being monitored. You can also disconnect the viewer by clicking on Disconnect option:

You can also click on “Open Sharing Preferences…” which will open Sharing folder in System Preferences.

Since the question you had was if someone remotely accessing your computer then the chances are that you don’t need any of sharing capabilities mentioned above.

Being

In this case, check all options on Sharing folder under System Preferences to make sure that nobody is allowed to access it and turn off (uncheck) all options.

Verify if new users were created

As we’ve seen already remote login or sharing options require assigning access roles to the local users. If your system was hacked it is very likely that the hacker has added a new user to access it. To find out all users in MacOS perform the following steps:

  1. Start Terminal app by either going to Applications and then Utilities folder or clicking Command and Space and typing Terminal in the popup window.
  2. In the Terminal window type:

On my laptop it listed dev1, nobody, root and daemon.

If you see the accounts, you do not recognize then they probably have been created by a hacker.

In order to find when the user account was used to log in last time type the following command into the Terminal:
last

For each account, MacOS will list the times and dates of logins. If the login to any of the accounts happened at an abnormal time, it is possible that a hacker used a legitimate account to log in.

Check the logs

It may be useful to check the system logs for any possible access issues.

In order to find a system log, click on Go option in the top menu or simultaneously click Shift, Command and G. In the “Go to Folder” popup type: /var/log and hit Enter.

Now find system.log file and scan for word sharing. For instance, I found following screen sharing log entries:

These were log entries when someone logged in to my system remotely:

Check for spyware

If you are still suspecting that spyware is running on your machine you can use a third party application like Little Snitch which monitors applications, preventing or permitting them to connect to attached networks through advanced rules. Setting up the rules for Little Snitch, however, could be complicated.

One of the common spyware applications is a keystroke logger or keylogger. Keyloggers used to be apps that record the letters you type on the keyboard, but they significantly in last years. Suffice to day that keyloggers can take screenshots every 30 seconds or even track your chat activity, including the messages sent to you.

I believe that keyloggers are much greater security threat because they are easier to install and the powerful features they offer. Check my article about keyloggers here: How to know if my Mac has a keylogger

Security Best Practices

1.Change passwords regularly
One thing you should immediately if you are suspecting that someone is logging to your system is to change your password. And the password should be complex enough so that other people wouldn’t be able to guess it. This means avoiding using things like birthdate, first or last name or relatives, house or apartment number, etc. As a rule of thumb the password must be long enough (8 – 32 characters) and include at least 3 of the following character types:

  • Uppercase letter (A-Z)
  • Lowercase letter (a-z)
  • Digit number (0-9)
  • Special characters such as ~!@#$%^&*

2.Enable Security Updates by clicking on “Automatically keep my Mac up to date” in Software Update folder in System Preferences.

3. Install Antivirus. I received a lot of emails where people described suspicious activity on their Macs. I found that in about 60-70% cases, the culprit was malwareand not someone breaking into the computer. It’s a myth that Macs don’t get viruses. If you need proof check the next article I wrote after testing 12 antivirus programs after injecting 117 malware samples on my Mac:

Last Updated on