How to Tell If Your Wi-Fi Was Hacked (And What to Do About It)

Your Wi-Fi password is the front door to your entire home or business network. Once someone gets past it, they have access to everything connected to it — your computers, phones, smart home devices, shared drives, and your internet traffic. The scary part? Most people find out they've been compromised months after the fact, if ever.

Here's how to tell if your Wi-Fi has been hacked, what the intruder is likely doing while on your network, and the exact steps to kick them out and lock the door behind them.

Warning Signs Someone Is on Your Network

These red flags don't always mean you've been hacked — but each one is worth investigating, and multiple signs together should be treated as a confirmed breach until proven otherwise.

Internet that feels slower than it should

If you're paying for a 500 Mbps plan but running speed tests at 50 Mbps with no explanation from your ISP, someone else may be consuming bandwidth on your connection. This is especially telling if speeds vary dramatically at different times of day — faster when the neighbor is at work, slower in the evening.

Router activity lights blinking at odd hours

Check your router's activity lights at 2–3 AM when all your devices should be idle or asleep. If the lights are blinking steadily — indicating active data transfer — something is using your network. It could be a legitimate device like a security camera uploading footage, but it's worth verifying.

Router settings that changed without you touching them

Log into your router admin panel (covered below) and look for settings you didn't configure: unfamiliar port forwarding rules, DNS servers changed to unknown IP addresses, admin password changed, remote management enabled. Any of these is a serious red flag.

Security cameras or smart devices acting strangely

If your cameras are moving on their own, if smart locks are behaving erratically, or if smart devices are restarting unexpectedly, an unauthorized user on the network may be interacting with them.

Devices you don't recognize in the connected devices list

This is the most direct evidence. See below for exactly how to find and check this list.

How to Check Your Router for Unauthorized Devices

This takes about five minutes and gives you a definitive list of every device currently connected to your network.

Step 1: Log into your router admin panel

Open any browser and type one of these addresses in the URL bar:

• 192.168.1.1 — most common default
• 192.168.0.1 — used by many Netgear, Linksys routers
• 10.0.0.1 — used by some Apple and AT&T routers

If none of these work, look at the label on the back or bottom of your router — the default admin address is usually printed there. Log in with the admin credentials (also on the label if you've never changed them, though you absolutely should change the default).

Step 2: Find the connected devices list

Look for a section called "Connected Devices," "Device List," "DHCP Clients," or "Attached Devices" — the exact name varies by router brand. You'll see a table showing every device currently connected, typically including its name, IP address, and MAC address.

Step 3: Identify unknown MAC addresses

A MAC address is a unique hardware identifier for each network device. Go through the list and account for every device you recognize: phones, laptops, tablets, smart TVs, game consoles, smart speakers, printers, cameras. Any device you can't account for is suspicious.

If you see a device labeled something generic like "Unknown" or an odd manufacturer name you don't recognize, note the MAC address. You can look up the manufacturer of any MAC address at macvendors.com — the first six characters identify the manufacturer, which helps narrow down what the device is.

What Hackers Actually Do on Your Network

Understanding the threat helps you prioritize your response. Someone connected to your Wi-Fi can potentially do all of the following:

• Traffic sniffing — Using tools to capture unencrypted network traffic and read usernames, passwords, and session cookies from websites that don't use HTTPS
• Bandwidth theft — Using your connection for torrenting, crypto mining, or routing their own traffic through your IP address (which means their illegal activity traces back to you)
• Accessing shared network resources — If you have a shared drive, NAS device, or printer visible on the network, they can access it
• Man-in-the-middle attacks — Intercepting traffic between your devices and the internet to steal credentials or inject malicious content into pages you visit
• Lateral movement to your devices — Once on the network, they can probe and attempt to access your computers or phones directly

The moment you confirm an unauthorized device is on your network, treat it as a full breach — not just a minor annoyance. Act quickly.

Immediate Steps If Your Wi-Fi Has Been Hacked

Do these steps in this specific order. The order matters.

1. Change the router admin password first

Most people change the Wi-Fi password and stop there. That's wrong. If the attacker has already accessed your router admin panel and changed settings, simply changing the Wi-Fi password doesn't remove their access to the router itself. Go into router settings and change the admin login password before anything else. Make it long and unique — not the same as your Wi-Fi password.

2. Update the router firmware

Many router intrusions exploit known firmware vulnerabilities. While you're in the admin panel, check for firmware updates and install any available. This patches the vulnerability they may have used to get in.

3. Change the Wi-Fi password to something strong

Use a password that's at least 16 characters with a mix of letters, numbers, and symbols. Don't use anything based on your address, name, or phone number. Use WPA3 security if your router supports it — if not, WPA2 is the minimum acceptable standard. Never use WEP or leave it open.

4. Kick all devices and reconnect only yours

The cleanest approach: after changing the password, every device on the network — including all the ones you own — will be disconnected. Reconnect only your verified devices one at a time. This ensures no unauthorized device slips back onto the network with a saved password.

Long-Term Network Hardening

Once the immediate threat is addressed, these steps make your network significantly harder to penetrate going forward.

Set up a guest network for IoT devices

Smart TVs, thermostats, doorbells, and other IoT devices are notoriously insecure and frequently targeted. Put them on a separate guest network that's isolated from your main network where your computers and phones live. This way, even if a smart device is compromised, the attacker can't reach your primary devices.

Disable WPS immediately

Wi-Fi Protected Setup (WPS) is a feature that lets devices connect to your router by pressing a button or entering an 8-digit PIN. The PIN method has a well-known vulnerability that makes it trivially brute-forceable in hours. Disable WPS in your router settings — there's no good reason to have it enabled.

Replace the default router SSID

Don't broadcast a network name like "Netgear_5G" or "ASUS_Router" — this tells attackers exactly what hardware you're using, which points them directly to known vulnerabilities for that model. Use something generic that doesn't identify your hardware, address, or name.

Consider a UTM firewall for businesses

For home offices and small businesses, a Unified Threat Management (UTM) device does far more than a standard consumer router — it inspects traffic, blocks known malicious domains, detects intrusion attempts, and logs activity. If you're handling client data or running any kind of business, it's worth the investment.

When to Call a Professional

DIY router hardening handles the basics, but there are situations where you need professional help:

• You found unauthorized devices but don't know how they got in
• Router settings were changed and you don't know what was modified
• You suspect a device on your network was directly accessed or compromised
• You run a business and handle customer or financial data
• You want a full network security assessment and proper firewall configuration