User profile for user: sarmurlaro17
sarmurlaro17 Author
User level: Level 1
10 points

System Hacked, need to secure.

My system has been hacked by an external user. I have had 2 confirmed witnessed sessions in which it was obvious that my screen was being controlled by an external user. The first was on my work wifi, the second at home. I have 2 login user accounts, one personal Administrator account, the second one that is solely used for work purposes, but only by me. We have changed Google, Apple and both user account passwords. The screen size/resolution was changed by the hacker therefore giving control over a certain portion of the screen that was outside of my view.


a) how can I ensure that my system is now secure?

b) how can we ensure that this does not happen again?

c) how can we track if someone has access currently?



[Edited by Moderator]

MacBook Air 15″

Posted on Feb 23, 2025 3:22 AM

Reply
14 replies
User profile for user: Tesserax
Tesserax
User level: Level 10
157,956 points

Feb 23, 2025 9:29 AM in response to sarmurlaro17

PRP_53's comments are valid in this case, whether or not, you agree. The key is someone would have to have physical access to this computer for it to be possible for it to be "hacked."


At this point, there are three "next steps" that I suggest you take:

  1. As tbirdvet has suggested, completely erase your Mac's internal drive, and then, reinstall a fresh copy of macOS. Whether or not, you restore from a backup is questionable if that latest backup was recent. That is because, it may have been "infected" by the "hacker."
  2. Once you have a fresh macOS installed, go through the process of "hardening" your Mac. Some examples are: Enabling a firmware password (Intel-only,) enabling FileVault, do not create more user accounts than absolutely necessary, use secure passwords and change them periodically, and be sure to keep this Mac running the very latest version of macOS.
  3. Do not let this Mac be used by anyone, other than yourself. When not in use, know where it is at all times. If you can, lock it in a secure location when you are not around.


We have no clue on how this happened. Only that you claim that it has. We can only make assumptions as to what happened and offer reasonable "next step" ideas.


Ref:

Reply
User profile for user: tbirdvet
tbirdvet
User level: Level 6
17,102 points

Feb 23, 2025 5:08 AM in response to sarmurlaro17

I would guess that if it is true what you have stated I would assume someone has installed some software to control your Mac. You may have brought this home from work. I would boot into recovery, erase the drive, reinstall the OS then migrate from your backup from a time before all this took place. This will not happen again unless you have had some interface with those individuals or companies. The Mac OS itself is very secure against hackers or viruses.

Reply
User profile for user: Tesserax
Tesserax
User level: Level 10
157,956 points

Feb 23, 2025 10:42 AM in response to sarmurlaro17

Screen sharing should not be a risk, but as BobTheFisherman has mentioned, be vigilant of what you are sharing.


As far as connecting to a company's Wi-Fi, the company, of course, should be responsible for providing a secure network for you to connect to. Some companies only allow for non-employees to connect to a "guest" network with only the ability to access the Internet and not to company resources. Not sure that is the case here or not.


A few things you can do to lower risk, is to:

  • Either use a Guest account on your Mac or create a new user account solely to be used for accessing the company's network. Then completely delete this account when it is no longer needed.
  • Enable the software firewall on your Mac to block all incoming connections (as you previously did in one of the images you provided.)
  • Only stay connected to the company network as required.
  • Do not allow anyone access to your Mac.
Reply
User profile for user: g_wolfman
g_wolfman
User level: Level 4
3,472 points

Feb 23, 2025 11:25 AM in response to sarmurlaro17

OK, I understand. Let me be blunt, though...

  1. You don't have the technical skills needed to do this - certainly not to the level needed for "proof". If you don't trust the in-house IT (and assuming this is university level academia), you probably need an IT security researcher from the Computer Science or Computer Engineering departments.
  2. If you actually think the in-house IT is untrustworthy (or worse, if they actually are), then your organization has a bigger problem...
  3. In any case, in most jurisdictions around the world, unauthorized access to a computer is a criminal offence - so you always have the option of the police.


In any case, pursuing this yourself is the wrong way to go. If nothing else, any "proof" you find will be suspect because you are also the victim and no administrative process worth its salt will accept it (let alone any criminal legal process).

Reply
User profile for user: Owl-53
Owl-53
User level: Level 10
102,775 points

Feb 23, 2025 5:31 AM in response to sarmurlaro17

" Hackers " would have needed Direct Physical Access to this computer


Then, to have somehow been able to Guess the Computer Password in order to have gained access to the Owner / Admin account of the computer


Thereafter, to have planted their " Hacking Software " on this computer


Added, If FileVault were enabled on this computer


Without the Admin Account Password of this computer, it would be virtually impossible to gain access to the computer

Reply
User profile for user: Owl-53
Owl-53
User level: Level 10
102,775 points

Feb 23, 2025 9:31 AM in response to sarmurlaro17

Solution ?


Would to understand, your words, “Hacker “ is and how they would need access to the machine


Unknown external user your words took control of . . .


You may have invited a hacker- like software namely How do I uninstall Antivirus One from my … - Apple Community

Which in and of itself it totally useless


Windows-like viruses that self-replicate and affect macOS don’t exist because of the underlying UNIX Foundation and permission limitations.

The macOS operating system resides in a sealed and read-only volume that can’t be opened by users or third-party applications.

This antivirus software only protects the developers’ bank accounts and creates problems for users in return.

Mac app security enhancements are sufficient to protect computers from malware.

Adware and malware can affect computers and are often downloaded from “shady” websites or developers who inject them into downloads.

Source: User tip from @Kurt Lang

What is malware? - Apple Community



Reply
User profile for user: sarmurlaro17
sarmurlaro17 Author
User level: Level 1
10 points

Feb 23, 2025 9:58 AM in response to Tesserax

Thank you, this is helpful advice and the references are much appreciated.


Physical access is not ruled out based on the circumstances and everything considered.


One more question, based on the nature of the work I do, I need to share my screen with various smart TVs on the company Wifi. How best can I secure myself from further security breaches in the future? This is obviously a potential cause of the problem in the first place, but it is not proven or ruled out at this stage.

Reply
User profile for user: g_wolfman
g_wolfman
User level: Level 4
3,472 points

Feb 23, 2025 10:29 AM in response to sarmurlaro17

There's very little information being provided to allow any kind of useful advice - beyond the generic advice you've been given already. You say various things "are not ruled out" (by whom?) but what has been "ruled in"? You say there were confirmed, witnessed sessions of you screen being controlled - was this by you personally? Because if so, some detail on what you saw and why you believe this indicated external control would be helpful...


Honestly, there is a bit of an irreconcilable dichotomy between "a hacker good enough to access and escalate access" and "a hacker clumsy enough to obviously screen control in a live session".


Who is doing the troubleshooting on this? Your work IT security people? Because they should have decent resources at their disposal - or do you not trust them?


The screenshots you posted seem to indicate you are involved in academia or some kind of corporate training. IT security in academia is uniformly terrible - especially because those environments are almost always Windows Active Directory environments that are deliberately poorly configured because "academic freedom for research purposes". If there is a hacker, it might not be on your computer (although these days I'd be more worried about ransomware in academia or industry).

Reply
User profile for user: sarmurlaro17
sarmurlaro17 Author
User level: Level 1
10 points

Feb 23, 2025 10:51 AM in response to g_wolfman

Yes, you have hit the nail on the head. 1. I Don't trust the in-house IT, and you are right, they don't have experience outside of Windows OS.


2. The suspect could be a student which would explain the dichotomy between someone who has mixed skills and more inportantly would make mistakes. Alternatively, the suspect could be the IT man himself.


3. I saw the screen being controlled by an external user other than myself while sharing, and while not sharing and while on a different wifi source. My Mac has been left unattended in a presumably 'secure' environment, however both the suspected parties could essentially have access.


4. There is a student who has been confirmed to have breached the system before. So, I am trying to determine how, when, why, and who has breached my system to take action in-house and/or with the student re: disciplinary action. So, I need to have exact proof and I need to figure it out independently of the in-house IT guy.

Reply
User profile for user: sarmurlaro17
sarmurlaro17 Author
User level: Level 1
10 points

Feb 23, 2025 10:56 AM in response to Tesserax

Thank you. I was actually using a separate work login already, that's the login the was first breached. However the admin login which is my personal one has also been presumably breached. I suppose a guest login might be more secure as it is erased periodically, if I am not mistaken, but it is challenging operating solely on a guest login at work. Will follow the steps you suggest.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

System Hacked, need to secure.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up