Back to Articles

How to prevent your Bitcoin account from getting hacked

Werner van Rooyen
10 minute read

One of Bitcoin’s most important features is that transactions aren’t reversible. This means that once you receive Bitcoin, you don’t have to worry about the sender reversing the transaction. But it also means that if your Bitcoin account gets compromised or hacked, they can send it off and you won’t be able to get it back again.

You should first and foremost be sure to only deal with a reputable Bitcoin company and learn how to identify Bitcoin scams , but that is only half the equation.

It is crucial have your own security measures in place to secure yourself from potential losses.

There are some basic personal checks we’ll go over in this article to greatly reduce the chances of your account from being compromised. They are:

  1. Securing your email account
  2. Securing your social media accounts
  3. Using unique, strong passwords for all online accounts
  4. Enabling two-factor authentication

Let’s go over them one by one.

Secure your email account


The problem

If someone breaks into an unlocked house, takes the car keys from the kitchen counter and drive off with the stolen car, you surely can’t blame the car company for having a weak security system! The car owner has a weak security system.

When people say that their accounts got “hacked”, what usually happened is simply that their email account got compromised, due to weak security. Access to your email account gave hackers access to other accounts.

If someone has access to your email account, they can quickly search for a list of websites you have signed up for in the past. Then they can visit those sites, one by one, and request a password reset. When a password gets reset, a link gets sent back to the inbox. After this, they may change the email address in your accounts, completely locking you out of them.

And it snowballs. The more accounts of yours a hacker has compromised, the easier it gets to compromise other accounts. Some accounts may show your account recovery questions and answers, like “Where were you born?” and “What is your mother’s maiden name” which may be required to gain access to another site. Things can quickly spiral out of control.

How to secure your email account

1. Use a unique, strong password

I’ll go into this in more detail further down below, but it is crucial that you have a strong and unique password. If your password isn’t strong, it can easily be guessed or cracked via brute force (where a computer keeps trying different password combinations). If your password isn’t unique and you used the same password on another website, a hacker can hack the other site and get your password.

If you don’t have a unique, strong password for your email account, go change it now.

2. Check your recent login activity

Most reputable email providers allow you to see what devices and locations around the world recently accessed your email account. If you access your email account open on both your mobile device and your laptop, you should see multiple login sessions.
If you don’t recognise a login session by time, device or country, immediately sign out of all other sessions.


Useful links:

How to see last account activity on Gmail

Recent account activity on Yahoo!

Recent activity on your Microsoft account

If you use a different email service, reach out to them to ask how to see recent account activity.

3. Review and remove email auto forwarders

Most email accounts have a handy feature where you can automatically forward certain email types to another address. If you, for instance, receive a monthly emailed invoice from the telephone company, your email provider can automatically forward a copy of that email to your spouse or your housemate.


The problem is, if a hacker got access to your email account at any time in the past, they might have set up an auto-forwarder like the one above for specific sensitive emails (or worse yet: for all emails) to be forwarded on to them. These emails can be stored over time and used in many ways against you.

How to remove auto forwarders

You can review things in Gmail by clicking Settings (the gear icon) > Forwarding and POP/IMAP.

More links:

If your email provider isn’t listed, go check in the Settings section of your email account to see if there’s anything suspicious or contact your email provider for more help.

4. Review linked accounts

Email accounts have another useful feature that can be used for good and bad: linked email accounts.

Sometimes we’d like to move on from silly old email addresses, like [email protected], to something a little more professional like [email protected]. The problem is that we don’t want to log in and manage both or miss any emails still sent to the old address after switching to the new one.

In those instances, you can simply link the two accounts. If you have access to both email accounts, you can log into the new one, link the old one and all emails sent to the old account will still arrive in your new account.

You can event set it up that you can send emails from the new account using the other email address. This is quite useful when you’re running a small business, where you can send and receive personal emails (like [email protected]) and work emails (like [email protected]) in the same inbox.

The problem is, again, if a hacker got access to your account at some stage in the past and linked it to theirs, they can send and receive emails just like they are you.

How to remove linked accounts.

Check for suspicious accounts in Gmail by clicking Settings (the gear icon) > Accounts and Import.

Helpful links:

If your email provider isn’t listed, reach out to them directly for more information on linked accounts.

5. Set up two-factor authentication

I’ll go into more detail further down below, but two-factor authentication requires two things to gain access to your email account: something you know (your password) and something you have (your mobile phone).

It is nearly impossible for a stranger to gain access to your email account with two-factor authentication enabled.

Secure your social media accounts

Many people interact more frequently with social media platforms than they do with their email accounts. Many social media platforms, like Twitter and Facebook, allow you to authenticate and log in to other websites, without the need for a separate username/password.

secure social media accounts

It is of critical importance that you secure your social media accounts. The first thing is to ensure a unique, strong password for all social media logins. Also, enable two-factor authentication, if it is available (more information on that further below). Lastly, have a look at sites and apps you have authorised and remove suspicious/inactive ones.

Authorising and revoking apps/accounts on Twitter


Log in, click on your image and Settings and navigate to Apps.


How to keep your Facebook account secure

Facebook has some excellent resources on how to keep your account secure.


Go through the entire list, but pay special attention to the Passwords, Login approvals and Login alerts sections.

Use unique, strong passwords

strong password

Why should passwords be unique?

As mentioned earlier, if you use the same password on two websites, you are already leaving yourself open to attack.

We sign up to hundreds of different online accounts on hundreds of different websites these days. Whereas you might trust Luno to keep your Bitcoin and information secure and not to store your password in an unencrypted form, not all websites have such high security.

It is, as an example, very simple for a hacker to set up a website promising you free Bitcoin; where you just need to enter an email address and password to get started. If you use the same email and password on all websites, that hacker now has your email address and password to all other accounts. Accounts that may contain sensitive information or Bitcoin...

Why should passwords be strong?

It is very simple for a hacker to crack a weak password. If your password contains just a mix of numbers and normal words found in dictionaries, it can be quickly retrieved by brute force hacking (which just runs a combination of words and numbers one after the other).
Kaspersky Labs has a password check tool that will tell you exactly how long it will take a hacker to brute-force crack your password.


Use a password management tool

It is unreasonable to expect someone to remember hundreds of account passwords, especially strong ones. And writing down your passwords on a piece of paper or online document is definitely not a very secure solution.

At the very least, I suggest remembering your unique, secure password for all accounts that contain sensitive information, like your email and medical accounts, and money, like your Bitcoin and other financial accounts. That said, the easiest, most convenient and secure way is using a password management tool instead.

What is a Password Management Tool?

Password management tools help you to store, organise and use all of your online passwords. They require you to create (and remember) a single, strong password, which gives you access to all your other passwords.

A lot of people may ask “So what if the password manager tool gets hacked?”. Which is somewhat fair and there is a possibility of it happening, albeit a small one.

It’s important to say that there is no such thing as absolute security. The odds, however, if you are reusing passwords on multiple sites, constantly resetting passwords or using a list to store your passwords, that you are more at risk of being hacked than a password manager company getting hacked.

I’d rather trust a dedicated security company that specialises in password management to handle it for me than to rely on saved notes or worse yet: my memory.

Most password management tools also make logging in much faster. Once you are logged in on your computer, you can log into websites with a few clicks (without typing out your full email address and password each time). This alone can make your daily workflow much more efficient.

Suggested password management tools

We’re in no way affiliated with any of these password managers, it’s up to you to decide which ones have the right features for your needs. Be sure to always use a very strong (and unique) password for your password manager.

Tool Details
LastPass Highly recommended. Good UX and many features in free and premium version.
RoboForm Fast and many features. Lacks password strength reporting & sharing.
DashLane Powerful, but the free version has very limited features. Can’t save application passwords.
KeyPass Free, open source alternative.

Use two-factor authentication

two-factor authentication

Two-factor authentication (or 2FA) is one of the best, free ways to secure your online accounts. It is one of the most effective ways to protect yourself and can be done in under two minutes (see our video demo below).

Two-factor authentication adds another layer of authentication to access an account by requiring two things: something you know (your password) and something you have (your mobile device).

Many sites and services already support 2FA, including Google, Facebook and Luno. You might already be used to your bank or credit card provider sending you a text message with a one-time PIN for certain transactions. These services also two-factor authenticated.

How to enable 2FA

You will first need to download a reputable 2FA app onto your mobile device, then you need to set it up on the supported website.

1. Download and install a 2FA app

The most popular 2FA apps are listed below. Do your research and install one of them on your mobile device.

App Supported platforms Notes
Authy Android, iOS, Chrome, OS X Recommended. Free, multiple devices, good backups & recovery
Google Authenticator Android, iOS, BlackBerry Original 2FA app, trusted brand, free
LastPass Authenticator Android, iOS, Windows phone Nice LastPass integration, one-tap authentication
FreeOTP Android, iOS Open-source alternative by Red Hat

2. Set up 2FA on your online account

There are many sites that support two-factor authentication. For assistance in setting up, please contact those sites directly.

Below are the setup instructions for Luno:

Navigate to Settings > Security in the menu. Since you’ve already installed a 2FA application, above, click the setup button.


Luno should show you a screen with a QR code which you’ll need to pair your mobile device with Luno.

On your 2FA app:

  1. Add a new account
  2. Scan the QR code as shown by Luno
  3. Save the account

Your 2FA application should show you a six digit code (that changes every 20-30 seconds)

On Luno:

  1. Print out the QR code page and store it in a safe place.
  2. Type in the code generated on your 2FA app
  3. Click enable


Your phone (2FA app) and Luno are now linked!

Even if someone now managed to steal, guess or otherwise hack their way to get your Luno username and password, they won’t be able to log into your account without the 2FA code.

In closing

There are certain things that your Bitcoin provider should do to keep your Bitcoin secure. Luno is dedicated to keeping our customers' Bitcoin safe, but there are certain things that you need to do to protect yourself and your money.

If you think your account has been compromised, immediately reach out to us at [email protected]

Avatar Werner van Rooyen

Werner van Rooyen

Werner is our former Head of Communications. His passions include payments, e-commerce, technology, marketing and design: something that he has been fortunate enough to do on three different continents. Werner has lived and worked in South Africa, the United States, Indonesia, Taiwan and China.

It’s never too late to get started.
Buy, store and learn about Bitcoin and Ethereum now.

Desktop Icon Apple App Store Logo Google Play Store Logo