How to Recover a Hacked Email Account

The Problem

Your email is the master key to your digital life. Almost every other account—banking, shopping, social media—can be reset through it. So when an email account is hacked, the stakes are high: an attacker can reset your other passwords, read private messages, and impersonate you to your contacts. Acting fast and in the right order is what limits the damage.

Signs Your Email Has Been Hacked

You may notice one or more of these:

You can't log in, even though you're sure of the password.
Friends report spam or strange messages "from you."
Sent items or password-reset emails you didn't request appear.
Your recovery phone number or backup email was changed.
Security alerts about logins from unfamiliar places.

If you spot these, treat it as urgent.

Step 1: Try to Log In and Change Your Password

If you can still get in, move immediately.

Log in and go to your account's security settings.
Change your password to a strong, unique one—see how to create strong passwords.
Do this from a device you trust, not a public or shared computer.

A new password instantly logs out anyone else who was signed in—on most providers there's a "sign out of all devices" option; use it.

Step 2: Use Account Recovery if You're Locked Out

If the password no longer works, use the provider's recovery process:

Gmail: go to the Google Account Recovery page.
Outlook/Hotmail: use Microsoft's account recovery form.
Yahoo/others: look for "Forgot password" or "Can't access account."

You'll verify your identity with a recovery phone, backup email, or security questions. Answer from a familiar device and location—it improves your chances. This is exactly why setting up account recovery options before trouble strikes is so important.

Step 3: Check What the Attacker Changed

Once you're back in, inspect these settings carefully and undo anything you didn't do:

Recovery phone and backup email—attackers swap these so they can lock you out again. Restore yours.
Forwarding rules—hackers often set your mail to secretly forward to their address. Delete any you don't recognize.
Filters—they may auto-delete bank or security alerts. Remove suspicious filters.
Connected apps—revoke access for anything unfamiliar.
Signatures—make sure no spam link was added to your signature.

Step 4: Turn On Two-Factor Authentication

This is what stops it from happening again. With two-factor authentication on, a stolen password alone won't get anyone in—they'd also need the code from your phone. Turn it on the moment you regain control.

Step 5: Secure Everything Connected to That Email

Because the attacker may have had access to your inbox, assume they could have reset other accounts.

Change passwords on your most important accounts—banking, shopping, social media—starting with any that use this email for recovery.
Use a unique password for each; a password manager makes this painless.
Check your bank and card statements for anything unfamiliar.

Step 6: Warn Your Contacts

Let friends and family know your account was compromised, so they ignore any spam or money requests sent in your name while the attacker had access. A quick heads-up prevents the scam from spreading—the same boss and "help me" scams often start from a hacked contact.

How Did This Happen—and How to Prevent It

Most email hacks trace back to one of these: a reused password leaked in a breach, a phishing email that captured your login, or malware on a device. Going forward:

Give your email a unique, strong password.
Keep two-factor authentication on.
Stay alert to phishing and never log in via email links.
Keep your devices clean—see remove a virus or malware.

Quick Recovery Checklist

Regain access (change password or use recovery).
Undo attacker changes (recovery info, forwarding, filters).
Enable two-factor authentication.
Secure linked accounts and check your bank.
Warn your contacts.

Move quickly and in this order, and you'll not only get your inbox back—you'll close the door that let the attacker in.