5 Things You Should Do Immediately After Your Email Gets Hacked

Fact-checked by the SnapMessages editorial team

Imagine logging into your email and finding hundreds of sent messages you never wrote, password reset requests flooding your inbox, and contacts texting you about suspicious links you supposedly sent. That sickening, stomach-dropping moment is something millions of Americans experience every year. Knowing the right email account hacked steps in those first critical minutes can mean the difference between a minor inconvenience and a financial catastrophe.

The scale of email compromise is staggering. According to the FBI’s 2023 Internet Crime Report, Business Email Compromise (BEC) alone cost victims over $2.9 billion in a single year. More broadly, Verizon’s 2023 Data Breach Investigations Report found that compromised credentials were involved in 49% of all breaches. Email is the gateway — once a hacker owns your inbox, they can reset passwords on your bank, your social media, your cloud storage, and every other account tied to that address.

This guide gives you a precise, prioritized recovery plan. You will learn exactly what to do in the first hour, which accounts to lock down first, how to trace the damage, and how to permanently close the door on whoever got in. Every step is backed by data, ordered by urgency, and written so you can act fast — even if you are panicking right now.

Recognize the Signs Your Email Has Been Hacked

Not every hack announces itself loudly. Many attackers prefer to stay invisible, monitoring your inbox for weeks before making a move. Knowing the warning signs lets you catch a breach early — and early action saves money, time, and reputation.

Obvious Red Flags to Watch For

The clearest signs include unexpected password-reset emails for accounts you did not initiate, friends reporting strange messages from your address, and unfamiliar sent-folder activity. You may also see login alerts from unknown locations or devices.

Other signals are subtler. Watch for email rules you did not create, forwarding addresses you do not recognize, and large blocks of emails marked as read when you never opened them. These patterns suggest someone is silently siphoning your communications.

Warning Signs by Category

If you see even one of these signs, assume a breach has occurred. Do not wait for confirmation. Begin the email account hacked steps outlined in this guide right now.

Regain Access to Your Email Account Immediately

If you are still locked out of your account, recovering access is your absolute first priority. Without access, you cannot change settings, revoke sessions, or warn contacts. Every minute you spend locked out is a minute the attacker spends inside.

Use the Provider’s Account Recovery Flow

Every major email provider — Gmail, Outlook, Yahoo — has an account recovery pathway. Go directly to the provider’s official website and click “Forgot password” or “Can’t access your account.” Do not use links from any email in your inbox, as those could be phishing traps placed by the same attacker.

During recovery, you will typically be asked to verify your identity using a backup email address, a phone number for SMS verification, or answers to security questions. If the hacker has already changed your recovery options, most providers offer an identity verification process that can take 24–72 hours. Start it immediately — every hour of delay extends your window of vulnerability.

What to Do If Recovery Fails

If automated recovery does not work, contact the provider’s support team directly. Google’s Account Recovery support page and Microsoft’s live chat support are your fastest routes. Have identifying information ready: your account creation date, recent login locations, and the last password you remember.

While waiting for access to be restored, immediately begin securing every other account that was linked to that email address. Do not assume the hacker has done nothing yet — act as if every linked account is already compromised.

Change Your Password and Enable Two-Factor Authentication

Once you have access, your first action inside the account must be an immediate password change. This is the most critical of all email account hacked steps. A new, strong password revokes the attacker’s current session access — provided you do it before they change the password themselves.

Creating a Password That Cannot Be Cracked

A strong password is at least 16 characters long, combines uppercase letters, lowercase letters, numbers, and symbols, and contains no dictionary words or personal information. Using a password manager like Bitwarden or 1Password generates and stores truly random passwords so you never have to memorize them.

Do not reuse your old password or any variation of it. Attackers often store harvested passwords and try variations automatically using tools like Hashcat, which can test billions of combinations per second on commodity hardware.

Setting Up Two-Factor Authentication the Right Way

Two-factor authentication (2FA) adds a second verification layer beyond your password. According to Microsoft’s security research, enabling 2FA blocks 99.9% of automated account attacks. Enable it immediately after regaining access.

The strongest 2FA method is an authenticator app such as Google Authenticator or Authy — these generate time-based codes that expire in 30 seconds and cannot be intercepted via SIM swapping. SMS-based 2FA is better than nothing, but it is vulnerable to SIM-swap attacks. If maximum security is your goal, consider reading about whether a hardware security key is right for your accounts.

Password Strength Comparison

Audit and Secure All Linked Accounts

Your email inbox is the master key to your digital life. Every account that uses “sign in with email” or “forgot password” is vulnerable the moment your email falls into the wrong hands. This step is where most people lose the most money — because they focus on the email and forget the bank.

Identify High-Priority Linked Accounts

Start with financial accounts: banking, PayPal, Venmo, Cash App, cryptocurrency wallets, and credit cards. These carry direct monetary risk. Change their passwords immediately, using a different password for each one. Do not use your newly recovered email password as a template.

Next, move to social media (Facebook, Instagram, LinkedIn), cloud storage (Google Drive, Dropbox, iCloud), and shopping accounts (Amazon, eBay, Etsy). Hackers can drain gift card balances, place fraudulent orders with stored credit cards, or impersonate you to scam your followers.

Using Have I Been Pwned

Visit HaveIBeenPwned.com and enter your email address. This free service checks your address against a database of over 12 billion compromised credentials from known data breaches. If your address appears, you will see which breach exposed it and when — giving you crucial intelligence about what the attacker may already know.

Cross-reference breach dates with any unusual activity in your accounts. A breach from 18 months ago may have been sitting dormant until now. Understanding the tactics hackers use to exploit compromised data can help you anticipate their next move.

Linked Account Priority Matrix

Scan Your Devices for Malware and Keyloggers

Changing your password on a compromised device is like locking a new deadbolt with someone already inside the house. If the attacker gained access through malware or a keylogger, your new password will be stolen the moment you type it.

Running a Full Malware Scan

Use a reputable security tool — Malwarebytes, Bitdefender, or your platform’s built-in scanner (Windows Defender on Windows, XProtect on macOS) — to run a full system scan before doing anything else on that device. Do not use the potentially infected device for banking or password changes until the scan is complete and clean.

If the scan finds anything, quarantine and remove it immediately. Some sophisticated malware can survive a standard removal — in those cases, a full operating system reinstall may be necessary. It sounds extreme, but it is the only guaranteed clean slate.

Checking for Spyware on Mobile

Email hacks increasingly originate from mobile devices. If you access email on your phone, that device needs scrutiny too. Unfamiliar apps, battery drain, unusual data usage, and overheating are all signs of potential spyware. Understanding how spyware operates on phones and how to remove it is an important part of any complete security response.

For Android users, check app permissions carefully. For iPhone users, review device management profiles under Settings. Any unknown configuration profile is a serious red flag that should be removed immediately.

Notify Your Contacts and Limit Collateral Damage

Once a hacker has your email, they immediately exploit your contact list. Your name and email address carry implicit trust — people click links from you that they would ignore from a stranger. This is why spear phishing campaigns launched from compromised accounts are so devastatingly effective.

What to Tell Your Contacts

Send a clear, brief message to your contact list — ideally from a secondary email or phone number — warning them that your account was compromised. Tell them to ignore any unusual links, attachments, or requests for money or gift cards they received from your address in the past 48–72 hours.

Be specific. Tell them the approximate time range during which the account was under attacker control. Encourage them to delete suspicious emails without opening attachments, and to check their own accounts if they clicked anything. This approach is a direct form of limiting the social engineering damage hackers do through trusted sender exploitation.

Handling Business and Work Contacts

If your compromised account is used for business, the stakes escalate sharply. Notify your employer’s IT department within the first hour. Business Email Compromise (BEC) attacks that originate from a real employee’s account have defrauded companies of hundreds of thousands of dollars in single transactions — often through fake wire transfer requests sent to finance teams.

Document everything: when you discovered the breach, what you observed, and what actions you have taken. This record will be important for IT forensics, insurance claims, and potential legal action.

Review Your Email Settings for Hidden Backdoors

Savvy attackers do not just read your email — they install persistent backdoors that continue working even after you change your password. Reviewing your email account settings is one of the most overlooked of all email account hacked steps, yet it is critical for ensuring the attacker cannot silently return.

Check Forwarding Addresses and Filters

Navigate to your email settings and look for any forwarding rules that send copies of your email to an external address. Attackers frequently set these up immediately upon gaining access, allowing them to monitor your inbox indefinitely — even after you have secured the account. Delete any forwarding address you do not recognize.

Also audit your email filters. Hackers sometimes create filters that automatically delete or archive security alerts, password reset emails, and bank notifications — effectively blinding you to their continued activity. If you find any filters you did not create, delete them immediately.

Review Connected Apps and Active Sessions

Check the “connected apps” or “third-party access” section of your email settings. Revoke access for any app or service you do not recognize or no longer use. OAuth tokens granted to malicious apps can persist indefinitely and do not require your password to function.

Then review active login sessions. Both Gmail and Outlook show you every device currently logged into your account, with approximate location data. End all sessions you do not recognize — and then end ALL sessions to force a clean login. This immediately boots the attacker out, even if they are actively inside your inbox right now.

Settings Audit Checklist

Report the Breach to the Right Authorities

Many victims skip this step — either because they feel embarrassed, think it will not help, or assume authorities cannot do anything. All three assumptions are wrong. Reporting a hack creates an official record, may trigger an investigation, and can directly help you recover financial losses if they occur.

Who to Report To

In the United States, report email-based fraud and hacking to the FBI’s Internet Crime Complaint Center (IC3) at IC3.gov. The IC3 coordinates with federal agencies and can initiate financial fraud recovery processes if money was transferred. File a report even if you lost nothing — aggregate reports help law enforcement identify patterns and dismantle hacking operations.

Also notify the Federal Trade Commission (FTC) via IdentityTheft.gov if personal information was exposed. This generates a personalized recovery plan and helps document the incident for credit monitoring and dispute purposes.

Reporting to Your Email Provider

Report the hack directly to your email provider using their official reporting channels. This helps them investigate whether the breach originated from their end, flag the attacker’s known IP addresses, and potentially assist with account recovery. Google, Microsoft, and Yahoo all have dedicated security incident reporting pathways.

If the hack led to unauthorized financial transactions, report it to your bank within 60 days of the statement date. Under the Electronic Fund Transfer Act, you may be entitled to a full refund of fraudulent transfers reported within that window. Time limits matter here — do not delay.

Build Long-Term Defenses to Prevent the Next Attack

Recovering from a hack is only half the battle. Without permanent structural changes to how you manage your digital security, you are statistically likely to face another breach. This final stage of the email account hacked steps process is about converting a painful experience into lasting protection.

Understand How You Were Hacked

Before you can prevent the next attack, you need to understand how this one happened. The most common entry points are phishing emails (clicking a malicious link), credential stuffing (your password leaked in a prior breach), weak or reused passwords, and social engineering. Understanding how attackers use fake QR codes and deceptive links to steal credentials can help you recognize the tactics used against you.

Check the login history in your email account for the IP address and location of the unauthorized access. Tools like IPinfo.io can help you trace the general geographic origin of the attack. While this rarely identifies the specific attacker, it may confirm whether the access was automated (credential stuffing from a botnet) or targeted (a human attacker).

Adopt a Layered Security Routine

No single tool provides complete protection. A strong defense combines a unique password for every account (managed by a password manager), 2FA on all critical accounts, regular breach monitoring via HaveIBeenPwned, and periodic security audits. Building this into a consistent habit is the key — learn how to build a personal digital security routine that actually sticks.

Consider upgrading to passkeys wherever supported. Passkeys eliminate the password entirely, replacing it with device-based cryptographic authentication that cannot be phished. Understanding why apps are switching to passkeys over passwords will help you make smarter account security choices going forward.

Ongoing Monitoring Tools

Your Action Plan

1. Regain account access within the first 15 minutes

   Use your email provider’s official account recovery page — not any link in your inbox. Verify your identity using your backup email, phone number, or security questions. If automated recovery fails, contact live support immediately and start the manual verification process. Begin this step even if you are still unsure whether you have been hacked.

2. Change your password on a clean device

   Before typing a new password on the potentially compromised machine, use a separate, trusted device. Create a password of at least 16 characters using a mix of letters, numbers, and symbols. Use a password manager to generate and store it. Never reuse any part of the old password.

3. Enable two-factor authentication immediately

   Turn on 2FA using an authenticator app (not SMS if possible) before doing anything else. This single action blocks 99.9% of future automated attacks. Store your backup codes in a secure, offline location — not in your email drafts folder.

4. Secure all linked financial accounts first

   Log into your bank, PayPal, Venmo, and credit card accounts from a clean device. Change their passwords, enable 2FA, and check for unauthorized transactions. Report any fraudulent activity to the institution within 60 days to preserve your recovery rights under federal consumer protection law.

5. Scan all your devices for malware

   Run a full scan using Malwarebytes or your built-in security tool on every device used to access that email account — computer, phone, and tablet. Do not enter any new passwords on a device that has not been scanned and cleared. If malware is found and cannot be fully removed, back up essential data and perform a clean operating system reinstall.

6. Audit your email settings for hidden backdoors

   Check forwarding rules, email filters, connected apps, and active sessions in your email settings. Delete every entry you did not create. End all active sessions to boot any current unauthorized access. This step is one of the most commonly skipped — and the one that allows attackers to maintain persistent access long after victims think they have secured the account.

7. Notify your contacts and relevant authorities

   Send a brief, clear warning to your contact list from a secondary communication channel. Report the incident to the FBI IC3 and, if identity information was exposed, to the FTC at IdentityTheft.gov. If business funds were involved, notify your employer’s IT team and initiate a bank wire recall within 24 hours for the best chance of recovery.

8. Build a permanent security routine to prevent recurrence

   Set up breach monitoring through HaveIBeenPwned email alerts. Adopt a password manager and use a unique password for every account. Schedule a quarterly security review of all account settings. Consider upgrading to passkeys and hardware security keys for your most critical accounts. Convert this crisis into the foundation of a stronger, lasting security posture.

Frequently Asked Questions

How do I know for certain that my email has been hacked?

The most definitive signs are login activity from unfamiliar locations or devices (visible in your account’s security settings), emails in your sent folder that you did not write, and password reset notifications for accounts you did not initiate. If your contacts report receiving suspicious messages from your address, that is near-certain confirmation.

You can also check HaveIBeenPwned.com to see if your email appeared in a known data breach. Keep in mind that absence from that database does not mean you are safe — not all breaches are publicly disclosed.

What is the very first thing I should do if my email is hacked?

The first action depends on whether you still have access. If you do, change your password immediately from a clean device and then enable 2FA. If you are locked out, start the provider’s account recovery process right now — every minute of delay is a minute the attacker operates freely inside your inbox.

Can hackers still access my email after I change my password?

Yes — if they have installed a forwarding rule, a connected app with OAuth access, or malware on your device, a password change alone will not stop them. That is why reviewing your email settings for backdoors and scanning your devices for malware are both essential parts of a complete recovery.

You should also end all active sessions after changing your password. This logs out every device currently connected to your account, including any device the attacker may be using.

How long do I have to report fraudulent bank transactions?

Under the Electronic Fund Transfer Act (EFTA), you must report unauthorized electronic transactions within 60 days of the statement date to receive full protection. If you report within 2 business days, your liability is capped at $50. Between 3 and 60 days, liability rises to $500. After 60 days, you may bear the full loss. Report as fast as possible.

Should I be worried about identity theft after an email hack?

Absolutely. Your inbox almost certainly contains enough information for identity theft — account statements, insurance documents, tax correspondence, and personal identification details. Place a free credit freeze with all three major bureaus (Equifax, Experian, TransUnion) if you believe sensitive personal data was exposed. A credit freeze is free, reversible, and prevents new accounts from being opened in your name.

What if the hacker changed my recovery phone number and email?

This is a common attacker tactic designed to lock you out permanently. Most providers have a manual verification process for exactly this scenario. Google, for example, will ask you to verify your identity using information about your account history — recent recipients you emailed, approximate account creation date, and previous passwords. The process typically takes 24–72 hours but is usually successful if you have used the account regularly.

Is it safe to use the same device after a hack?

Not until you have run a full malware scan and confirmed the device is clean. If the hack originated from a phishing link you clicked, a malicious attachment you opened, or software you installed, the device itself may be the source of the compromise. Use a separate clean device for all password changes and financial account access until you have verified the compromised device is safe.

Do I need to tell my employer if my work email was hacked?

Yes — immediately. Business email compromise can expose your employer to significant legal and financial liability. Most organizations have an incident response policy requiring employees to report suspected compromises within a specific timeframe. Failing to report promptly can have professional and legal consequences. Contact your IT security team as your very first call, even before attempting recovery yourself.

Can two-factor authentication be bypassed?

SMS-based 2FA can be bypassed through SIM-swapping attacks, where a criminal convinces your carrier to transfer your phone number to a SIM card they control. Authenticator app-based 2FA is significantly more resistant to this attack. Hardware security keys (FIDO2) are the most resistant form of 2FA currently available to consumers. For the highest-risk accounts, a hardware key is worth the $25–$50 investment.

How long does it typically take to fully recover from an email hack?

For most individuals, the acute phase — regaining access, changing passwords, securing linked accounts — takes 3–8 hours. The full audit, including device scans, settings review, contact notifications, and authority reports, typically requires 1–2 days. Ongoing monitoring and security hardening is a continuous process. Financial recovery, if funds were stolen, can take weeks to months and is not guaranteed.