Your Gmail is the master key to your digital life — password resets for your bank, social media, shopping, and work all flow through it. So a hacked Google account is not just lost email; it is a doorway to everything. The good news: Google has one of the strongest recovery systems of any provider, and if you act methodically you can usually get back in and lock the attacker out. Here is exactly how.
Signs Your Google Account Was Hacked
- You are signed out and your password no longer works.
- Google sent a "suspicious sign-in" or "your password was changed" alert you did not trigger.
- Sent messages, or password-reset emails for other services, that you did not initiate.
- Your recovery phone or email was changed.
- Contacts report spam or scams coming from your address.
Step 1 — Recover the Account
Go to accounts.google.com/signin/recovery
Enter your email and follow the prompts. Google verifies you with your recovery phone, backup email, a device you are already signed in on, or questions about your account. Do this from a device, browser, and location you normally use — familiar context is one of Google's strongest trust signals and greatly improves success.
Use a signed-in device if you have one
If your phone is still signed in to the account, Google can send a prompt there to approve the reset instantly — the fastest route back in.
No recovery options? Answer the identity questions
If the attacker changed your recovery phone and email, Google's flow asks what it can: your most recent password, roughly when you created the account, and recognisable details. Provide accurate answers and try from a familiar device. Persistence and correct detail win here.
Locked out and stuck? Skip the trial-and-error.
Our certified bilingual tech remotes in, walks you through every recovery step, and secures the account on the spot — same day, from $59. No fix, no fee.
Step 2 — Clean Out What the Attacker Left Behind
This step is unique to email and the one most people miss. Changing your password is not enough — attackers plant ways to keep reading your mail. Once back in, check every item:
- Forwarding: Gmail Settings → Forwarding and POP/IMAP. Remove any forwarding address you did not add.
- Filters: Settings → Filters and Blocked Addresses. Delete filters that auto-forward, archive, mark-as-read, or delete incoming mail — attackers use these to silently intercept password-reset emails.
- Delegated access: check whether your account was granted to another address (Accounts → Grant access).
- Recovery phone & email: Security → restore your own and remove the attacker's.
- App passwords & third-party access: Security → revoke anything you do not recognise.
- Sign out everywhere: in your Google Account → Security → Your devices → sign out unfamiliar sessions.
Need This Fixed Right Now?
IT Cares recovers locked and hijacked accounts remotely — usually in 30 minutes or less, from $59. No fix = no charge.
Step 3 — Lock It Down for Good
Turn on 2-Step Verification — with an app or passkey
Use an authenticator app (Google Authenticator, Authy) or a passkey rather than SMS, which can be defeated by SIM-swap attacks. This is the single biggest protection: a stolen password alone becomes useless.
Run Google's Security Checkup
Visit myaccount.google.com/security-checkup — it flags risky access, recent sign-ins, and weak settings in one pass.
Use a unique password + a manager
Never reuse your Google password elsewhere. A breach on another site is the #1 way Google accounts get taken over via credential stuffing.
Consider Advanced Protection if you are a target
Journalists, executives, and activists can enrol in Google's Advanced Protection Program, which requires physical security keys and blocks most phishing outright.
Why Gmail Is the Hacker's Favourite Target
Understanding the motive explains the urgency. With your Gmail, an attacker can:
- Reset passwords everywhere — banking, PayPal, Amazon, social media all send reset links to your inbox.
- Search years of mail for tax documents, invoices, IDs, and passwords sent in plain text.
- Impersonate you to your contacts, vendors, or employer for fraud.
- Lock you out by changing recovery details, then ransom the account.
- Hijack linked services — YouTube, Google Pay, Drive, Photos, and any "Sign in with Google" app.
Google Account vs. Gmail: They're the Same Login
People think of "Gmail" and "Google account" separately, but they share one login. Recovering Gmail recovers YouTube, Drive, Photos, Google Pay, and every app you use "Sign in with Google" for. That is why securing this one account matters so much — and why you should audit those connected apps after a breach, not just your email.
When to Call IT Cares
- The hacked account is a Google Workspace / business account with company data — your admin can reset it, and we can run a full tenant security review.
- You cannot complete recovery and fear permanent loss.
- The attacker used your Gmail to reset other accounts (bank, social) and you need a coordinated clean-up.
- You want a full security audit of every device and connected account after the incident.
IT Cares connects remotely, walks you through Google's recovery, strips out malicious filters and forwarding, sets up 2-Step Verification correctly, and secures your linked accounts — same day, anywhere in Canada.
Need This Fixed Right Now?
IT Cares recovers locked and hijacked accounts remotely — usually in 30 minutes or less, from $59. No fix = no charge.
Frequently Asked Questions
Go to accounts.google.com/signin/recovery and verify your identity with your recovery phone, backup email, a signed-in device, or account questions. Do it from a device and location you normally use — Google trusts familiar context. Once in, change your password, sign out other sessions, and remove any filters, forwarding, or app access the attacker added.
Yes, but it's harder. Google's flow lets you answer questions about your account — last-known password, approximate creation date, recognisable labels. Doing it from a browser and device you've signed in from before greatly improves your odds. Be patient and accurate.
After regaining access, open Settings → 'Forwarding and POP/IMAP' and remove unknown forwarding, then Settings → 'Filters and Blocked Addresses' and delete filters that auto-forward, archive, or delete mail. Attackers use these to keep reading password-reset emails even after you change your password.
It signs out all other sessions, removing active access. But you must also revoke third-party apps and app passwords, delete malicious filters/forwarding, and verify your recovery phone and email. If malware captured the password, run a full scan or it may be stolen again.
Turn on 2-Step Verification with an authenticator app or passkey (not SMS), run Google's Security Checkup, use a unique password from a manager, and review your devices and third-party app access regularly. High-value targets should consider the Advanced Protection Program.
Comments
Got the 'suspicious sign-in' alert at 2am, by morning my password was changed. Recovered using my old phone that was still signed in — the prompt approval worked instantly. The forwarding-rule tip is what saved me; the hacker had set my mail to auto-forward to their address and I'd never have checked Settings on my own.
My whole Google Workspace account at work was compromised and the attacker was resetting client logins through it. IT Cares jumped on a remote session, recovered it through our admin, cleaned the filters, set up 2-Step for the whole team and audited Drive sharing. Fast and thorough.
Leave a Comment