First: Stay Calm — You Can Fix This

If your email account was hacked, take a slow breath. This feels scary, but it is a problem you can fix step by step. Email account hacking happens to millions of people every year through phishing emails, reused passwords, data breaches, fake login pages, stolen devices, or unsafe apps. You are not the first person this has happened to, and you are not powerless.

What is at stake right now? The hacker may be able to read your emails, reset passwords for other accounts, send scam messages to your contacts, or hide changes inside your inbox. What is not always at stake immediately? It does not always mean your bank account has been stolen, your identity is fully taken, or every account you own is lost. The next few minutes matter most. If you act quickly, you can lock the hacker out, recover hacked email access, protect your other accounts, and warn the people who may receive fake messages from you.

Signs That Your Email Has Been Hacked

  • Sent emails you did not write: You see strange messages in your Sent folder, or people reply to messages you never sent.
  • Locked out of your account: Your normal password no longer works, even though you are sure you typed it correctly.
  • Password changed without your action: You receive a security alert saying your password was changed, but you did not change it.
  • Friends reporting suspicious emails from you: Contacts tell you they received links, attachments, gift card requests, or strange messages from your address.
  • Unfamiliar devices in your account activity: You see phones, computers, browsers, or apps you do not recognize.
  • Forwarding rules you did not set: Your emails are being copied or sent to another address without your permission.
  • Recovery email or phone number changed: Your backup email, phone number, or security information has been replaced.
  • Account activity from unknown locations: Your account shows sign-ins from cities, countries, or IP locations that do not match you.

Immediate Steps to Take Right Now

Step 1: Try to Regain Access to Your Account

If you are locked out, start with the official account recovery page for your email provider. Do not click recovery links from random emails or search ads. Type the address yourself into your browser, or use the provider’s official help page.

Advertisement
  1. For Gmail: Go to https://accounts.google.com/signin/recovery. Enter your Gmail address and follow the steps. Google may ask for your last password, your recovery phone, your recovery email, a code from a device you used before, or other proof that the account belongs to you.
  2. For Outlook or Hotmail: Go to the Microsoft sign-in page and choose the password reset or account recovery option. If normal reset options do not work, use Microsoft’s account recovery form. You may be asked about old passwords, recent email subjects, contacts you emailed, Skype details, Xbox details, or billing information linked to the account.
  3. For Yahoo: Use Yahoo’s Sign-in Helper. Enter your Yahoo email address, phone number, or recovery email. Yahoo may send a verification code to your recovery phone, recovery email, or Yahoo app if those options are still available.

If you cannot access your recovery email, choose another verification option if one appears. Try a recovery phone number, a device where you are still signed in, or a previous password. Use a device and location you normally use, such as your home Wi-Fi and your regular phone or computer. This helps the provider recognize you.

Step 2: Change Your Password Immediately

Once you get back in, change your password before doing anything else. The new password must be unique. That means you should not use the same password you use for Facebook, Amazon, banking, work, school, or any other account.

  1. Make it long: Use at least 14 to 16 characters if possible.
  2. Make it unique: Do not reuse an old password or a small change of an old password.
  3. Make it hard to guess: Avoid names, birthdays, pets, favorite teams, simple patterns, or words like password.
  4. Use a password manager: A password manager can create and store strong passwords for you, so you do not have to remember every one.

A strong password could be a random mix of words, numbers, and symbols, but the best option for most people is to let a trusted password manager create it. If your email account hacked recovery started because of a reused password, changing only your email password is not enough. You will need to change other accounts too.

Step 3: Enable Two-Factor Authentication

Two-factor authentication, also called 2FA or two-step verification, is one of the most important steps after you recover hacked email access. It adds a second check when someone tries to log in. Even if a hacker knows your password, they may still be blocked because they do not have your second factor.

  1. Open your account security settings: Look for Security, Sign-in, Login, or Account protection.
  2. Turn on two-factor authentication: Choose the strongest method available.
  3. Use an authenticator app if possible: An app is usually safer than SMS text messages because phone numbers can be targeted by SIM swap scams.
  4. Save backup codes: Store backup codes somewhere safe, such as a password manager or printed copy in a secure place.
  5. Remove unknown 2FA methods: If you see a phone number, app, passkey, or device you do not recognize, remove it.

Do this before you relax. A hacker may try to get back in after you change the password. Two-factor authentication helps shut the door.

Step 4: Check and Remove Suspicious Forwarding Rules

Hackers often create forwarding rules so they can keep reading your email even after you change your password. This is sneaky because your inbox may look normal while copies of your messages are silently sent somewhere else.

  1. In Gmail: Open Gmail on a computer. Go to Settings, then See all settings. Check the Forwarding and POP/IMAP tab. Remove any forwarding address you do not recognize. Then check Filters and Blocked Addresses. Delete filters that forward, archive, delete, or mark important emails as read without your permission.
  2. In Outlook: Open Outlook on the web. Go to Settings, then Mail. Check Forwarding and Rules. Turn off forwarding you did not create. Delete rules that send mail to another address, move security emails, hide bank emails, or delete password reset messages.

Pay close attention to rules that mention banks, PayPal, Amazon, social media, password resets, invoices, or security alerts. A hacker may try to hide important warnings from you.

Step 5: Review Apps Connected to Your Email

Some apps can connect to your email account. This can be normal when you use a calendar app, email app, phone app, or productivity tool. But if a hacker tricks you into approving a fake app, that app may keep access even after you change your password.

  1. Open account security settings: Look for Connected apps, Third-party access, Apps with access, or App permissions.
  2. Review every app: Ask yourself if you know the app, still use it, and trust it.
  3. Remove anything unknown: Revoke access for apps you do not recognize, old apps you no longer use, or apps with broad access to mail, contacts, files, or calendar.
  4. Check app passwords: Some accounts allow special app passwords. Delete any app password you did not create.

This step is important because changing your password may not always remove every connected app. If your email account hacked problem came from a fake app permission, this is where you stop it.

Step 6: Log Out of All Active Sessions

After changing your password and checking apps, force your account to sign out everywhere. This can remove the hacker from any browser, phone, computer, or mail app where they are still logged in.

  1. In Gmail: Go to your Google Account, then Security. Check Your devices or Manage all devices. Review the list and sign out of devices you do not recognize. Also review Recent security activity.
  2. In Outlook: Go to your Microsoft account security page. Review sign-in activity and devices. Use the option to sign out everywhere if available, and remove devices you do not recognize.
  3. On your phone: Remove unknown mail profiles, unknown VPN apps, or strange apps that appeared around the time of the hack.

If you are using a shared computer, public computer, or work computer, sign out there too. Do not save the new password in a browser you do not fully trust.

After You Regain Access: What to Do Next

Change Passwords on Every Account That Uses This Email

Your email is the reset key for many other accounts. If a hacker controls your inbox, they may try to reset passwords for banking, shopping, social media, cloud storage, crypto, work tools, or phone accounts. That is why email security matters so much.

  1. Start with money accounts: Banking, credit cards, PayPal, Venmo, Cash App, crypto, tax accounts, and payment apps.
  2. Then secure social accounts: Facebook, Instagram, TikTok, X, LinkedIn, YouTube, Snapchat, and messaging apps.
  3. Then secure shopping accounts: Amazon, eBay, Walmart, Etsy, online stores, delivery apps, and subscription services.
  4. Then secure cloud and work accounts: Google Drive, OneDrive, Dropbox, iCloud, Microsoft 365, work portals, and school accounts.

Use a different password for every account. If one password was stolen, you do not want it to unlock your whole life.

Check Your Bank and Payment Accounts

Look at your bank, credit card, and payment app activity for anything you do not recognize. Do not only check large charges. Hackers sometimes test accounts with small transactions first.

  1. Review recent transactions: Look for unknown purchases, transfers, withdrawals, subscriptions, or saved payment changes.
  2. Check saved addresses: Shopping accounts may have new shipping addresses added by the hacker.
  3. Contact your bank quickly: If you see anything suspicious, call the number on the back of your card or use the official bank app.
  4. Freeze or replace cards if needed: Your bank can tell you the safest next step.

Do not reply to emails that claim to be from your bank during this time. Go directly to the bank’s official website or app.

Warn Your Contacts

If your account sent scam messages, warn your contacts. Keep the message short and clear. Do not include suspicious links or attachments.

You can send a message like this:

My email account was hacked. Please do not open any strange links, attachments, invoices, gift card requests, or urgent messages that came from my address recently. I have secured the account now. If you clicked anything, change your password and scan your device.

If your account sent messages to coworkers, clients, church members, classmates, or family groups, warn those groups first. Scammers often use trust to trick people quickly.

Check If Your Email Was in a Data Breach

A data breach happens when a company, website, or app leaks user information. Your email address may appear in a breach even if your email provider was not hacked. If your old password was reused on another site, a hacker may use it to break into your email.

  1. Go to Have I Been Pwned: Open haveibeenpwned.com.
  2. Enter your email address: Type the email you want to check.
  3. Read the result: If your email appears in a breach, review which sites were involved and what type of data was exposed.
  4. Change reused passwords: If you used the same or similar password on any breached site, change it immediately.
  5. Turn on breach alerts: You can sign up to be notified if your email appears in a future breach.

If your email appears in a breach, do not panic. It does not always mean your email account was hacked. It means your email address, and possibly other data, was found in leaked records. The correct response is to use unique passwords, enable 2FA, and watch important accounts closely.

If You Cannot Get Back Into Your Account

If you cannot recover hacked email access, keep using the official recovery process. Do not pay random people online who claim they can hack the account back for you. Many of those services are scams, and they may steal more information from you.

  1. Gmail account recovery: Use https://accounts.google.com/signin/recovery. Try from a device, browser, and location you used before. Use the most accurate answers you can remember. If recovery fails, wait and try again later with better information instead of guessing many times.
  2. Outlook account recovery process in 2026: Start with Microsoft password reset. If you cannot verify with your recovery email or phone, use the Microsoft account recovery form. Fill it out from a familiar device and provide as many correct details as possible, such as old passwords, recent email subjects, contacts, Xbox details, Skype details, or billing information connected to the account.
  3. Yahoo account recovery process in 2026: Use Yahoo Sign-in Helper. Yahoo may ask for a recovery phone, recovery email, or verification through the Yahoo app. If the hacker changed your recovery information, use any remaining option Yahoo offers and follow the prompts carefully.
  4. If all recovery options fail: Create a new secure email account, enable 2FA immediately, and update your most important accounts to use the new address.
  5. Contact provider support directly when possible: Use only official help pages from Google, Microsoft, Yahoo, your workplace, your school, or your internet provider.

If the hacked email was used for work, school, banking, taxes, medical records, legal documents, or business accounts, treat it as urgent. Tell your IT department, bank, or service provider right away. They may be able to freeze access, protect records, or help you verify your identity.

How to Prevent Your Email From Being Hacked Again

  1. Use a unique strong password: Your email password should never be used anywhere else. Make it long, random, and hard to guess. If another website leaks your password, your email should still stay safe.
  2. Enable 2FA using an authenticator app: Two-factor authentication adds another lock to your account. An authenticator app is usually better than text messages because it is harder for a criminal to steal through phone number tricks.
  3. Use a password manager: A password manager helps you create strong passwords and remember them safely. It also reduces the temptation to reuse simple passwords.
  4. Be careful with phishing emails: Do not click login links from urgent emails. If a message says your account will be closed, your package failed, your payment declined, or your password must be verified, go directly to the official website instead of using the link.
  5. Do not use email on public Wi-Fi without VPN: Public Wi-Fi in airports, hotels, cafés, and malls can be risky. A trusted VPN can help protect your connection, especially when you need to check email away from home.
  6. Review connected apps regularly: Every few months, check which apps have access to your email. Remove old apps, unknown apps, and apps you no longer need.
  7. Keep recovery information up to date: Make sure your recovery phone number and backup email are current. If you change phone numbers, update your account before you lose access to the old number.

Frequently Asked Questions

Can someone hack my email without knowing my password?

Yes. A hacker may get into your email without directly knowing your current password. They might steal a login session from malware, trick you into approving a fake sign-in request, abuse a connected app, use a stolen device, or reset the password if they control your recovery email or phone. This is why you should change your password, remove unknown apps, sign out of all sessions, check recovery information, and enable two-factor authentication.

Should I create a new email account after being hacked?

Not always. If you can recover the account, change the password, enable 2FA, remove suspicious rules, remove unknown apps, update recovery information, and sign out of all devices, you can often keep using the same email address. But creating a new email may be wise if you cannot get the account back, if the hacker keeps returning, if the email is very old and full of spam, or if it was used for sensitive business or financial accounts.

Is it worth reporting the hack to authorities?

Sometimes, yes. If the hacker stole money, opened accounts in your name, threatened you, used your email for fraud, accessed work data, or stole personal documents, report it. You can contact your bank, your email provider, your workplace or school IT team, and your local cybercrime or consumer protection authority. Even if the account is recovered, reporting serious fraud can help protect your money, records, and identity.