Signs that your MacBook is hacked (and what to do about it)

Despite Apple’s built-in protections, MacBooks are not immune to cyberattacks. Real-world cases have shown that threat actors can gain access through weak passwords, phishing, or unpatched system flaws, which can lead to malware infections or full device compromise.

If your MacBook starts crashing, overheating, or behaving unpredictably, these could be signs of a hack, especially if unknown apps appear or your settings are altered.

This guide explains how to detect the warning signs, how the attack may have happened, and what immediate, practical steps you should take to recover your privacy and secure your Mac.

Can MacBooks be hacked?

Many people assume that Macs can’t be hacked, but that’s a misconception. Like any internet-connected device, a MacBook can be exposed to phishing attacks, malware, or other forms of compromise, especially if the system software is outdated.

While Apple includes strong protections like Gatekeeper, which verifies apps before they launch, and XProtect, which scans for known malware, these tools are not foolproof if users unknowingly override them or fail to update their systems.

It’s true that Macs are targeted less often than Windows devices, primarily due to market share: Windows continues to dominate globally, making it a more attractive target for cybercriminals looking to hit the largest possible pool of victims. macOS also benefits from its Unix-based architecture and Apple’s relatively tight control over its ecosystem, which includes app notarization and frequent security updates.

However, as Apple’s market share has grown, MacBooks have become increasingly attractive to threat actors. Malware specifically designed for macOS, such as infostealers and backdoors, is on the rise. These threats are often distributed via phishing campaigns, fake software updates, or malicious downloads.

The bottom line is that no system is immune. If something feels off, whether it's performance lag, strange network activity, or unknown software running, it's worth investigating early. The sooner a problem is identified, the easier it is to contain and resolve.

How to know if your MacBook has been hacked

If your MacBook has been compromised, it’s not always obvious. However, certain system changes or behaviors can suggest something isn’t right. These signs may not confirm a hack on their own, but noticing more than one, especially if they appear suddenly or without clear explanation, could point to unauthorized access or malware.

Here are the red flags.

Unusual behavior from macOS or Finder

Unexpected issues with Finder or the macOS interface can be one of the first signs that something's off. You might see files disappearing, renaming themselves, or moving without input. Finder may freeze or show strange error messages.

Such behaviors are not typical and may suggest background interference, especially if they recur after a reboot.

If these issues persist and you can’t trace them to a recent update bug or a known glitch, your system may have been compromised.

MacBook overheating or randomly crashing

If your MacBook starts overheating even while idle or doing light tasks, it could be a sign that something’s wrong beneath the surface. The same applies to frequent crashes or unexpected restarts.

This kind of instability doesn’t confirm a hack on its own, but it’s worth investigating, particularly if the fan spins loudly when no resource-heavy apps are open or the device reboots by itself. It may indicate that unsafe software is running in the background, either misconfigured or intentionally hidden.

Browser shows unexpected pop-ups or redirects

If you suddenly see a wave of intrusive pop-ups or get redirected to strange websites you didn’t intend to visit, it’s time to pay attention.

While this can happen in Safari, the same behavior can appear in other browsers on your Mac, such as Chrome or Firefox, and often points to adware or a browser hijacker running in the background. In more serious cases, these pop-ups and sites can trick you into clicking malicious links or downloading unsafe software.

Unknown apps or .pkg files appear in Applications

If you notice apps or installer files you didn’t download in your Applications folder, that’s a red flag. Some malware can quietly drop payloads disguised as legitimate apps or .pkg installers. These files might look harmless at first glance, using familiar icons or generic names, but their presence can indicate that something was installed without your knowledge.

This often happens not because Gatekeeper is bypassed, which is rare, but because users are tricked into granting permissions during fake updates or bundled downloads. If you don’t recognize the name of an app, or you’re sure you never installed it, get rid of it.

High CPU usage in Activity Monitor

Sometimes, malware or unauthorized tools running in the background can overwork your MacBook’s CPU. If your fans are spinning loudly or the system feels unusually slow, it’s worth checking Activity Monitor to see what’s consuming resources.

Here’s how to do it:

1. Go to Applications, then Utilities.
   
2. Open Activity Monitor.
   
3. Click the CPU tab at the top of the window. Sort the list by % CPU by clicking the column header. This will show the most resource-hungry processes at the top.
   
4. Look for any process using a very high percentage of CPU for a sustained period, especially if you don’t recognize the name. If unsure, search the name of the process online to confirm whether it’s legitimate.

Camera or microphone activates without user input

If the camera or microphone turns on when you're not actively using an app that requires them, this could be a sign of unauthorized access. On macOS, the green light next to the camera is designed to turn on automatically whenever the camera is in use.

If it lights up unexpectedly, without any app visibly using it, it’s important to investigate potential misuse or configuration issues. Similarly, microphone activity without a clear cause may indicate spyware trying to listen in.

To check which apps have access to the camera and microphone:

1. Go to System Settings.
   
2. Click on Privacy & Security, then go to Camera or Microphone.
   
3. You’ll see a list of apps with permission. If any of them look unfamiliar or shouldn’t have access, toggle them off immediately.
   

This doesn’t always mean your Mac has been hacked, but unexplained activation is something Apple’s privacy protections are designed to prevent. If it happens repeatedly, it may warrant a full scan with trusted security software.

System or firewall settings are changed without permission

If you notice that your Mac’s system preferences have changed, like the firewall being disabled, file sharing suddenly enabled, or remote login turned on, it could indicate unauthorized access.

macOS doesn’t make these changes on its own. So, if something like Screen Sharing, Remote Login, or File Sharing is active and you didn’t enable it, that’s a red flag.

To check:

1. Go to System Settings, click Network, and confirm Firewall is active.
   
2. Then go to General and click on Sharing.
   
3. Verify that only the sharing settings you want are toggled on.
   

Login alerts from unfamiliar locations on Apple ID

If Apple sends you a notification about a login from a device or location you don’t recognize, you should take it seriously. These alerts usually appear as pop-ups on your devices or as emails stating that your Apple ID was used to sign in to a new device or browser.

This could mean someone has gained access to your Apple ID credentials and is trying to use them to access iCloud data, messages, or even your Mac via remote features like Find My or iCloud Keychain.

To check if your iCloud has been compromised, go to account.apple.com and sign in with your Apple ID. Review the list of devices linked to your account and remove any that seem unfamiliar. If you suspect unauthorized access, update your passwords right away and make sure two-factor authentication is turned on.

Common ways cybercriminals target MacBooks

macOS is harder to compromise than other operating systems, but there are still various ways that threat actors find their way into MacBooks.

Phishing emails impersonating Apple or iCloud support

Attackers send emails that mimic Apple or iCloud support, relying on trust and urgency to get users to click fake verification links.

The link usually leads to a fake Apple login page. If you enter your credentials, the attackers collect them. Some emails also include attachments disguised as invoices that may contain malware or redirect you to phishing sites.

You can report suspicious messages like these to reportphishing@apple.com.

Malicious software bundled with fake Mac apps or updates

Sometimes, what looks like a regular app or system update can carry something far more harmful. Fake installers or repackaged applications can hide malware designed to spy on your activity, install other unwanted programs, or take control of your Mac. These often appear on unofficial websites or download portals that mimic legitimate sources.

In some cases, attackers use fake utility tools like antivirus apps or cleaning programs as a way to trick users into installing malware. Once opened, these apps may silently run processes in the background or request unnecessary system permissions.

If you’ve recently downloaded an app and you’re now seeing strange processes, pop-ups, or permission prompts, you should remove it.

Weak or reused Apple ID and Mac login passwords

If your Mac or Apple ID password is easy to guess or reused across different accounts, it becomes a security weak spot. Attackers often try credentials found in data breaches on multiple sites. If one of your reused passwords has been leaked, your Apple ID and your MacBook could be at risk.

Once inside your Apple account, a cybercriminal could access backups, emails, location data, or even remotely wipe your device using Find My. If they gain access to your local user account on macOS, they could install apps or change system settings without your knowledge.

To stay safe, it’s important to use strong, unique passwords for both your Apple ID and Mac login. Enabling two-factor authentication adds an extra barrier, making it harder for anyone to log in without your direct approval.

Exploiting outdated macOS versions or unpatched system apps

Cybercriminals sometimes take advantage of security flaws that haven’t been fixed yet. If your Mac is running an outdated version of macOS or any system apps that haven’t been updated, it may be vulnerable to known exploits.

Keeping your system and built-in apps up-to-date helps fix the security vulnerabilities that attackers could otherwise exploit.

What to do if you suspect your Mac is hacked

If you’ve noticed unusual behavior like persistent pop-ups, system crashes, unknown apps, or login alerts, your Mac may be compromised. Acting quickly can limit the damage and help you regain control before it escalates.

Disconnect from the internet immediately

If you suspect your MacBook has been hacked, the first step is to cut off its internet connection. This helps stop any remote access or data exfiltration while you assess the situation.

Click the Wi-Fi icon in the top-right corner of your Mac screen and turn it off.If using Ethernet, unplug the cable from your Mac.

Run a trusted antivirus or malware scanner

Once you’re offline, scan your Mac using a reliable antivirus tool that works specifically on macOS. This helps to detect, quarantine, and remove hidden spyware and other malware. Specialized antivirus tools can detect and remove threats that macOS’s built-in protections might not catch.

Remove unknown apps and browser extensions

If you see apps or browser extensions you don’t recognize, it’s worth looking them up online to see if others have reported issues. This is especially true if your MacBook started acting strangely after installing something new.

Some malicious software disguises itself as a helpful tool but runs in the background or collects data without your consent.

To remove suspicious apps:

1. Open Finder, go to Applications, and look for any unfamiliar or suspicious apps. Right-click the app and select Move to Trash.
   

To check Safari extensions:

1. In the menu bar at the top of the screen, choose Safari, then Settings or Preferences.
   
2. Click the Extensions tab. You’ll see a list of all installed extensions in the left-hand sidebar. Select the extension you want to remove from the list. On the right side, click the Uninstall button.
   
3. A pop-up may appear telling you to remove the associated app in Finder.
   
4. If so, click Show in Finder, then move the app to the Bin (Trash) by right‑clicking on the app icon and clicking on Move to Trash.
   

For Chrome:

1. Open Chrome and type chrome://extensions in the search bar.
   
2. Review the list and remove unwanted extensions. When prompted, confirm by clicking Remove again in the pop‑up window.
   

Change your Apple ID and email passwords

If someone gains access to your Apple ID or email account, they can do far more than just read your messages. With access to your Apple ID, an attacker could restore backups, track your device, or even wipe it remotely. If your email is compromised, it can be used to reset other accounts or impersonate you.

Start by changing your Apple ID password at account.apple.com, and make sure you're not reusing it on other services. Then, update the passwords for your primary email accounts. Use strong, unique passwords for each, and enable two-factor authentication wherever it's available. This makes it harder for someone to log in, even if they somehow get hold of your password.

To make things easier, a password manager like ExpressVPN Keys can generate and store strong credentials for every site and even handle your 2FA codes directly within the app.

Check and revoke iCloud and device sessions

If you think someone else might have accessed your Apple ID, visit account.apple.com and sign in. There, you can check which devices are linked to your account and remove any that you don’t recognize. You should also review Apple ID sign-in activity:

1. Go to System Settings, then scroll down to see the full list.
   
2. If anything looks unfamiliar, you can select the device and choose Remove from Account to revoke access remotely.
   

Back up important files

If your Mac might be compromised, it’s important to save any personal files you don’t want to lose, but only if you’re sure they’re safe. Avoid backing up apps or system settings, since those could carry hidden threats. Focus on documents, photos, and other essentials.

Use an external hard drive or a cloud storage service you trust. If you’re planning to reset your Mac, having a clean backup ensures you won’t lose everything in the process.

Report any compromised accounts

If any of your online accounts were accessed without your permission, like email, social media, or banking, you should report the incident to the platform or provider immediately.

Most services offer a way to secure your account, review recent activity, and contact support for help regaining access. Reporting early can stop further misuse and may help recover lost data or prevent fraud.

Reset your Mac to factory settings

If malware keeps reappearing or strange issues persist even after following the steps above, resetting your Mac might be the best option. A factory reset wipes your system completely and reinstalls macOS from scratch. Just make sure to back up your clean personal files first, and avoid restoring apps or settings that might reintroduce the problem.

How to protect your MacBook from future attacks

Whether your MacBook has already been compromised or you simply want to avoid threats in the future, taking a few practical steps can significantly reduce your risk. From enabling built-in protections to adjusting how you use your Mac, these habits can help you stay ahead of most common attacks.

Turn on FileVault encryption and enable macOS firewall

Turning on FileVault ensures that your entire disk is encrypted, making your data unreadable if your Mac is lost or stolen. The firewall blocks unwanted incoming connections, which is especially useful on public or untrusted networks. Here’s how to enable these settings.

1. In System Settings from the Apple menu, click on Privacy & Security in the sidebar, then scroll down and select FileVault.
   
2. Select Turn On and follow the prompts to set a recovery method.
   
3. Back in System Settings, select Network and then Firewall to toggle the firewall on.
   

Regularly update macOS

Apple frequently releases security updates to patch newly discovered vulnerabilities in macOS and system apps. Skipping updates can leave your Mac open to known threats. Here’s how to stay updated.

1. In System Settings, click on General in the sidebar and select Software Update.
   
2. If an update is available, click Update Now or Restart Now and follow the prompts. Also, turn on Automatic Updates if it’s not already enabled.
   

Use strong, unique passwords and enable two-factor authentication (2FA)

Using weak or reused passwords makes it easier for attackers to break into your accounts. A strong password should be long, hard to guess, and different for every account.

With the ExpressVPN Keys password manager, which is available with every ExpressVPN subscription, you can generate strong, random passwords and store them securely. It also generates 2FA codes to authenticate your logins. It’s an easy way to boost your security without the hassle of juggling multiple apps.

Avoid clicking suspicious links in emails, iMessages, or browsers

Phishing emails or fake pop-ups can trick you into handing over credentials or downloading malware. If you receive a message urging you to act quickly, especially about your Apple ID or bank account, don’t click any links. Instead, visit the official site directly and verify the message there.

For extra protection, consider using a trusted VPN like ExpressVPN for Mac. As well as encrypting all your data to protect it from third parties, its Advanced Protection tool helps block known malicious sites and phishing links.

Stick to HTTPS websites

Sites that use HTTPS encrypt the connection between your Mac and the website, making it harder for attackers to intercept data like passwords or personal info. Look for the lock icon in the address bar before entering sensitive information.

Download and install apps only from the Mac App Store or verified developers

Installing apps from unknown sources is one of the easiest ways to accidentally install malware on your Mac. Always stick to the App Store or the official site of a trusted developer, and even then make sure to check app reviews and developer credibility.

Use a limited user account, not a developer or admin account

Daily use of a limited (non-admin) account helps contain the damage if your system gets compromised. Malware installed under a standard account won’t have permission to change critical system settings unless you explicitly allow it.