Is a two-factor authentication code request I didn't trigger a sign I am being hacked?
Yes — receiving an unexpected 2FA code means someone has your username and password and is actively trying to log in to your account. Change your password immediately.
Last reviewed: 1 June 2026
Explanation
When you receive a two-factor authentication (2FA) code you did not request, it means someone else has your password and has entered it on the login page — triggering the code that is now in your inbox or on your phone. The 2FA system is working as intended by stopping them at the second step, but your password is compromised. You should change your password immediately on that account and on any other service where you use the same password. Do not share the 2FA code with anyone — if someone calls or messages you asking for it, they are a scammer trying to complete the login they triggered. Enable a stronger second factor such as an authenticator app rather than SMS where the service allows it.
Common red flags
- You receive a 2FA SMS code without having tried to log in
- You receive multiple codes in succession, suggesting repeated login attempts
- Shortly after the code arrives, someone contacts you asking for it
- You are unable to log in to your account — it may already be taken over
What to do now
- Change your password immediately using a device you trust
- Change the same password on every other site where you used it
- Do not share the 2FA code with anyone who contacts you about it
- Review recent account activity and check for any changes you did not make
Frequently asked questions
If I have 2FA enabled, is my account safe even if my password is stolen?
2FA significantly raises the difficulty for attackers, but it is not infallible. Real-time phishing sites can relay your 2FA code before it expires. Changing your password promptly eliminates the stolen credential.