Wuest Software Labs
← Blog
Mac Security

How to Tell if Your Mac Has Been Hacked (and What to Do)

June 29, 20269 min read

If you landed here because your Mac is acting strange and a quiet voice is asking “has someone gotten in?” — take a breath. Most of the time the answer is no. Macs misbehave for boring reasons far more often than they get hacked: a runaway browser tab, a full disk, a flaky update. But “usually nothing” isn’t the same as “never,” and the smart move is to actually check rather than spiral.

This guide walks you through the same checks a security-minded person would run, in plain language, no jargon required. Work through them top to bottom. By the end you’ll either have peace of mind or a concrete list of things to fix — both are good outcomes.

First, separate real warning signs from normal weirdness

Plenty of “symptoms” people panic about are completely normal. Before you assume the worst, here’s how to read the signals.

Usually nothing to worry about:

  • The fans spin up loudly for a while (often Spotlight indexing, a backup, or a heavy website).
  • The Mac feels slow right after a macOS update (it’s doing background work for a day or two).
  • The battery drains faster as it ages.
  • A single app crashes or freezes now and then.

Worth taking seriously — especially several at once:

  • Your fans run hard and the Mac is hot even when you’re not doing anything.
  • You see network activity (uploads especially) when nothing should be using the internet.
  • New apps, browser extensions, or login items you don’t remember installing.
  • Settings change on their own — your homepage, default search engine, or a new “configuration profile” appears.
  • You’re locked out of your Apple Account, or get sign-in alerts from places you’ve never been.
  • Your cursor moves on its own, or the screen-recording / camera indicator turns on unexpectedly.

One of these alone is rarely proof of anything. A cluster of them is your cue to dig in. Let’s do exactly that.

Step 1 — Check what’s connecting to the internet

This is the single most useful check, because almost anything malicious — spyware, a remote-access tool, a crypto miner phoning home — has to talk to the network to be worth anything. If you can see what’s connecting out, you can spot the impostor.

The built-in way:

  1. Open Activity Monitor (Applications → Utilities, or search for it with Spotlight).
  2. Click the Network tab.
  3. Sort by Sent Bytes and watch for a few minutes.

You’re looking for any process steadily sending data when you’re not actively uploading anything. Most names will be familiar or obviously part of macOS (cloudd, nsurlsessiond, your browser, Dropbox, etc.). If you see a name you don’t recognize, copy it and search for it — a legitimate process will have plenty of normal results; something sketchy often has forum threads asking the same question you are.

For a deeper look, the Terminal command lsof -i lists open network connections, and tools like Little Snitch or the free LuLu can alert you whenever a new app tries to connect out. The honest catch: Activity Monitor is noisy and cryptic, and the power-user tools have a learning curve. That gap — “I want to see what’s connecting without decoding system process names” — is exactly why we built Lookout: it lists the apps talking to the internet in plain English, so an unexpected connection actually stands out instead of hiding in a wall of d-suffixed daemons.

Step 2 — Look for login items and background processes you didn’t add

Malware wants to survive a reboot, so it adds itself to the things that launch automatically. Apple put all of this in one place on recent macOS versions:

  1. Open System Settings → General → Login Items & Extensions.
  2. Review “Open at Login” and especially “Allow in the Background”. The background list is long and mostly legitimate (printer helpers, Google updaters, etc.), but scan for anything you don’t recognize.
  3. Toggle off anything suspicious. If something important breaks, you can toggle it back — nothing here is permanent.

If a background item lists a vendor you’ve never heard of and you can’t find a plausible explanation, that’s a thread worth pulling.

Step 3 — Check for configuration profiles you didn’t install

Configuration profiles can quietly change settings, route your traffic, or restrict your Mac. A normal personal Mac usually has none. If you didn’t add one (and your employer didn’t), a profile showing up is a genuine red flag.

  1. Open System Settings and look for Device Management or Profiles (it only appears if a profile exists).
  2. If you see one you don’t recognize, select it and remove it.

Step 4 — Audit your browser extensions and homepage

A huge share of “my Mac is hacked” cases are really a browser hijack — a rogue extension that changes your search engine, injects ads, or watches what you browse.

  • Safari: Settings → Extensions. Remove anything unfamiliar.
  • Chrome: Menu → Extensions → Manage Extensions.
  • Check your homepage and default search engine in each browser’s settings and reset them if they changed.

Step 5 — Check for unknown user accounts

Open System Settings → Users & Groups and make sure every account listed is one you recognize. An extra admin account you didn’t create is a serious sign someone set up their own way in.

If you think someone you know is monitoring your Mac

Most “hacking” is impersonal and automated. But sometimes the worry is specific — that a person with physical access installed something to watch you. So-called stalkerware often hides as a normal-looking background process and quietly records activity.

The checks above still apply (look hard at Step 1’s outgoing connections and Step 2’s background items), and if you find something, the steps below will help you cut off access. If you’re in a situation where your safety could be at risk, consider using a different, trusted device to seek help — the National Network to End Domestic Violence’s Safety Net project has guidance written for exactly this situation.

What to do if you find something (or just want to be safe)

Whether or not a single check came back alarming, here’s the cleanup that resolves the vast majority of real compromises:

  1. Disconnect from the internet if you saw active, unexplained uploads — it stops data leaving while you work.
  2. Update macOS (System Settings → General → Software Update). Many infections rely on patched-long-ago holes.
  3. Run a reputable on-demand scanner. The free version of Malwarebytes for Mac is a well-regarded one-time check.
  4. Remove the suspicious login items, profiles, extensions, and accounts you found above.
  5. Change your important passwords — starting with your Apple Account and email — from a device you trust, and turn on two-factor authentication everywhere it’s offered.
  6. If anything still feels off, the nuclear-but-certain option is to back up your files, erase the Mac, and reinstall macOS fresh.

Staying aware going forward

The reassuring truth: a Mac that’s genuinely compromised almost alwaysreaches out to the network, and a Mac that isn’t, mostly sits quiet. The single habit that catches problems early is simply knowing what normal looks like for your machine — which apps usually connect, and noticing when something new shows up.

That’s the whole idea behind Lookout: a quiet menu-bar view of what your Mac is actually doing, in plain English, so “wait, what is that?” becomes a glance instead of an afternoon of detective work. It won’t replace good security habits — but it makes the most useful check in this guide something you can do in five seconds, any time the question crosses your mind.

← Back to all posts