Discovering your email has been hacked is alarming — but it is not hopeless. Whether you are seeing unknown sent messages, locked out entirely, or getting warnings from friends about spam from your address, this guide walks you through every step to recover your account and lock it down for good. The faster you act, the less damage is done.
Signs Your Email Was Hacked
Before jumping to recovery, confirm the signs. Common indicators include:
- Unknown messages in your Sent folder — emails you did not write sent to your contacts
- Your password no longer works — the attacker changed it after gaining access
- Recovery options were modified — your backup email or phone number was changed
- Friends report receiving spam or phishing emails from your address
- Login alerts from unfamiliar locations — notifications from Gmail, Outlook, or Yahoo about sign-ins from foreign countries
- Missing emails — the hacker may have deleted messages or set up filters to redirect mail
Step 1 — Try Account Recovery Immediately
Your first move is to attempt recovery through the official account recovery page of your email provider. Do this from a trusted device on a secure network — not public Wi-Fi.
Gmail Recovery
Go to accounts.google.com/signin/recovery. Google will attempt to verify your identity using your recovery phone number, backup email, previous passwords, or security questions. Answer as many correctly as possible. If you are in a familiar location on a device you have used before, Google is more likely to grant access.
Outlook / Microsoft Recovery
Go to account.live.com/acsr and start the account recovery form. Microsoft asks for details like when the account was created, who you email most often, and recent subjects or contacts. Fill out as much as you can — Microsoft reviews these manually within 24 hours.
Yahoo Recovery
Go to login.yahoo.com, click "Trouble signing in?" Yahoo offers recovery via phone, backup email, or Yahoo Account Key. If those are unavailable, use the account recovery form that asks for account details to verify ownership.
Step 2 — If You Regained Access
The moment you are back in your account, move fast — the attacker may still be monitoring it.
- Change your password immediately — use a strong, unique password of at least 16 characters with letters, numbers, and symbols. Do not reuse any previous password.
- Check mail forwarding rules — go to Settings and look for any forwarding rules or filters that might be sending copies of your emails to the attacker's address. Delete all unfamiliar rules.
- Review connected apps and permissions — in Gmail, go to Security > Third-party apps with account access and revoke any apps you do not recognize.
- Sign out all other sessions — Gmail: Scroll to bottom of inbox > Details > Sign out all other sessions. Outlook: Account security > Sign out everywhere.
- Check your recovery email and phone number — make sure the attacker has not changed them. Restore your own recovery options.
- Scan your device for malware — if malware got your password once, it may do so again. Run Malwarebytes immediately.
Need This Fixed Right Now?
IT Cares fixes this remotely in 30 minutes or less — from $59. No fix = no charge.
Step 3 — If You Are Still Locked Out
If standard recovery fails, you have more options. Do not give up — accounts can often be recovered even without immediate access to recovery contacts.
- Use backup codes — if you saved 2FA backup codes when you set up your account, these can bypass the lost phone requirement.
- Try a trusted device — signing in from a device that was previously authenticated may bypass some verification steps.
- Contact provider support directly — Google Workspace, Microsoft 365, and paid email accounts have dedicated support channels with human agents who can verify identity through billing records, ID documents, or domain ownership.
- For business email (Exchange/M365) — your IT administrator can reset your account without going through Google or Microsoft consumer recovery flows.
Step 4 — Secure Your Account Against Future Attacks
Once you are back in, these steps will make it exponentially harder for attackers to access your account again:
Enable Two-Factor Authentication (2FA)
This is the single most important security upgrade you can make. With 2FA, a hacker who has your password still cannot access your account without your phone. Use an authenticator app (Google Authenticator, Authy) rather than SMS if possible — SIM swap attacks can bypass SMS-based 2FA.
Use a Password Manager
Stop reusing passwords. A password manager (Bitwarden is free, 1Password is excellent for businesses) generates and stores unique passwords for every site. A breach on one site never endangers another.
Add a Recovery Email and Phone
Make sure your account always has up-to-date recovery options. Use an email address on a different provider (e.g., backup Gmail for your Outlook and vice versa) so that if one is compromised, you can still recover the other.
Review Connected Third-Party Apps
Many apps request "read your email" permissions. Audit these every few months. Revoke access to apps you no longer use. Fewer connected apps means a smaller attack surface.
What Hackers Do With Your Email
Understanding attacker motivation helps you act with urgency. Once inside your inbox, a hacker can:
- Reset passwords for banking, shopping, and social media — your email is the master key to every online account linked to it
- Export your contact list — sell it to spammers or use it to send targeted phishing attacks to people who trust you
- Send spam and phishing emails at scale — using your reputation to trick recipients into clicking malicious links
- Search for sensitive information — financial statements, tax documents, business contracts, passwords in old emails
- Hold the account for ransom — particularly against businesses or high-profile individuals
When to Call IT Cares
Most personal email recoveries can be handled by following the steps above. However, professional help is strongly recommended when:
- The hacked account is a business or work email with sensitive company data, client information, or financial records
- You suspect the breach was part of a larger attack on your business network
- You cannot complete recovery on your own and fear losing the account permanently
- You need to document the breach for compliance, insurance, or legal purposes
- You want a full security audit of all connected accounts and devices after the incident
Need This Fixed Right Now?
IT Cares fixes this remotely in 30 minutes or less — from $59. No fix = no charge.
Frequently Asked Questions
The most common causes are: reusing a password exposed in a data breach on another site, clicking a phishing link that captured your credentials, installing malware that logged your keystrokes, or using unsecured public Wi-Fi where credentials were intercepted. Visit haveibeenpwned.com to see if your email appeared in a known breach.
Yes, but it is harder. Google and Microsoft both offer identity verification flows where you answer questions about your account history — previous passwords, account creation date, devices you signed in from. The more information you can provide, the better your chances. A backup recovery email helps significantly.
Not necessarily. If you can recover the account and thoroughly clean it — change password, revoke sessions, remove forwarding rules, enable 2FA — it is usually better to keep your existing email. You have contacts, saved emails, and services linked to it. Create a new one only if recovery is impossible or the account was used for serious fraud.
Changing your password signs out all existing sessions, removing the hacker's active access. However, you must also remove any forwarding rules they set up, revoke third-party app access, and verify recovery email/phone they may have changed. If they installed malware on your device, they may re-capture credentials — run a full antivirus scan.
Visit haveibeenpwned.com and enter your email address. This free service checks your email against hundreds of publicly known data breaches. If your email appears, change your password for every service where you used the same credentials immediately.
Comments
I was completely locked out of my Gmail — the hacker had changed both my recovery phone and backup email. Thankfully I had backup codes stored safely offline. The recovery process using those codes worked perfectly. This guide helped me understand what to check after getting back in, especially the forwarding rules tip which I never would have thought to look at.
Our company Outlook was compromised and the attacker had already used it to send phishing emails to three of our clients. I called IT Cares and they connected remotely within 20 minutes. They recovered the account, removed the malicious forwarding rules, ran a security audit on the rest of our M365 environment, and set up 2FA for the whole team. Incredible service — worth every penny given what could have happened to our client relationships.
Leave a Comment