The steps you need to take as soon as possible.

It seems like not a day goes by when I don’t get a question from someone that boils down to their email account having been hacked.
Someone, somewhere, has gained access to their account and is using it to send spam, access other online accounts, hassle contacts, and more. Sometimes passwords are changed, sometimes not. Sometimes traces are left, sometimes not. Sometimes everything in the account is erased — including contacts and saved email — and sometimes not.
If that’s happening to you, your email account has been hacked.
Here’s what to do next.

Email hacked?
If your email has been hacked, here’s how you fix it.
- Recover your account.
- Change your password.
- Verify and/or change your account recovery information.
- Set up two-factor authentication.
- Check your out-of-office messages, auto-responders, forwards, and signatures.
- Check all related accounts for possible compromise.
- Let your contacts know.
- Start backing up.
And perhaps above all, learn from the experience so it doesn’t happen again.
1. Recover your account
Log in to your account using your email provider’s website.
If you can log in successfully, consider yourself extremely lucky and proceed to Step 2 right away.
If you can’t log in even though you’re sure you’re using the right password, then the hacker has probably changed your password. The password you know is no longer the correct password.
You must then use the “I forgot my password” or equivalent account recovery options offered by the service.
This usually means the service will send password-reset instructions to an alternate email address that you have access to, or send a text message to a mobile phone number you set up previously.
If the recovery methods don’t work — because the hacker changed everything or because you no longer have access to the old alternate email or phone — you may be out of luck.
If recovery options don’t work for whatever reason, your only recourse is to use the customer service phone numbers or email addresses provided by that email service. For free email accounts, there is usually no customer service. Your options are generally limited to self-service recovery forms, knowledge base articles, and official discussion forums where service representatives may (or may not) participate. For paid accounts, there are typically additional customer service options that are more likely to be able to help.
Important: If you cannot recover access to your account, it is now someone else’s account. I can’t stress this enough. It is now the hacker’s account. Unless you’ve backed it up, everything in it is gone forever, and you can skip to Step 6. You’ll need to set up a new account and start over.
Help keep it going by becoming a Patron.
2. Change your password
Once you regain access to your account (or if you never lost it), immediately change your password.
As always, make sure it’s a good password: easy to remember, difficult to guess, and long. In fact, the longer the better, but make sure your new password is at least 16 characters, and ideally 20 or more (if the service supports it).
But don’t stop there.
3. Change or confirm your recovery information
While a hacker has access to your account, they might leave your password alone so you won’t notice the hack for a while longer.
But whether or not they change your password, they may change all the recovery information.
The reason is simple: if you change your password, the hacker can follow the “I forgot my password” steps, and they can reset the password out from underneath you using the recovery information they set.
Thus, you need to check all of it — and change much of it — right away.
- Change the answers to your secret questions if your account uses them. They don’t have to match the questions (you might say your mother’s maiden name is “Microsoft”, for example); all that matters is that the answers you give during a future account recovery match the answers you set today.
- Check the alternate email address(es) associated with your account and remove any you don’t recognize. The hacker could have added their own. Make sure you have alternate email addresses configured and that they are accounts that belong to you that you can access. I really can’t emphasize that last point enough: the number of accounts that are lost because folks could not access the recovery email address is amazing.
- Check any phone numbers associated with the account. The hacker could have set their own. Remove any you don’t recognize. Make sure that if you provide a phone number, it’s yours and no one else’s, and you have access to it. As with alternate email addresses, I really can’t emphasize the last point enough: the number of accounts that are lost because people could not access the recovery mobile number is scary.
These are the major items, but many services use additional information for account recovery. Take the time now to research that information. If it’s something a hacker could change, change it.
Overlooking information used for account recovery allows the hacker to easily hack back in. Make sure you take the time to carefully check and reset all as appropriate.
It’s a simple trap that too many people fall into, causing them to lose their email account forever. Check out A One-step Way to Lose Your Account Forever.
4. Set up two-factor authentication
If you don’t have it enabled on your account already, now is the time to enable two-factor authentication.
Why? Because if you had enabled it, you wouldn’t be here. Two-factor authentication means that even if hackers discover your password, they still can’t sign in. They don’t have the second factor — your phone, an authentication app, access to a specific email address, etc. — that only you do. Without that access, they simply can’t get in.
And don’t let the hype about SMS being less than secure stop you, if that’s your only option. A) It’s more than secure enough for the average user. B) It’s still better than no two-factor authentication at all.
5. Check “out of office” messages, reply-to, forwards, and signatures
If your email service provides an out-of-office feature, a vacation auto-responder, or an automatic signature, it’s possible people already know you’re hacked.
Hackers have been known to set an auto-responder in a hacked account to automatically reply with their spam. Each time someone emails you, they get this fake message in return, often written so it sounds like you sent it.
If your account includes the ability to set a different “Reply-To:” email address, make sure that hasn’t been set. Hackers can set this so individuals who think they’re replying to you end up replying to the hacker instead.
Make sure your email is not being automatically forwarded to another email address. If it’s available, hackers often set this option to receive copies of every email you get. They can use this to break into your account again even after you recover it.
Check any signature feature the service supports. Hackers often set up a signature so that every email you send includes whatever they’re promoting, including a link to a malicious website.
6. Check related accounts
This is perhaps the scariest and most time-consuming aspect of account recovery. The risks are high, so understanding this is important.
While the hacker has access to your account, they have access to your email, including past and current emails as well as what arrives in the future.
Let’s say the hacker sees that you have a notification email from your Facebook account. The hacker now knows you have a Facebook account and the email address you use for it. The hacker can go to Facebook, enter your email address, and request a password reset.
That password reset is sent to your email account, which the hacker has access to.
As a result, the hacker can now hack your Facebook account by virtue of having hacked your email account.
In fact, the hacker can now gain access to any account associated with the hacked email account.
Like your bank. Or PayPal.
Let me say that again: because the hacker has access to your email account, he or she can request a password reset be sent to it from any other account for which you use this email address. In doing so, the hacker can hack and gain access to those accounts.
What you need to do: check your other accounts for password resets you did not initiate and any other suspicious activity.
If there’s any doubt, consider changing the passwords on all those accounts as well. (There’s a very strong argument for checking or changing the recovery information for these accounts, just as you checked on your email account, for all the same reasons.)
7. Let your contacts know
Some disagree with me, but I recommend letting your contacts know your account was hacked, either from the account once you’ve recovered it or from your new email account.
Inform all the contacts in the online account’s address book, because that’s the address book the hacker had access to.
I believe it’s important to notify your contacts so they know not to pay attention to email sent while the account was hacked. Occasionally, hackers try to impersonate you to extort money from your contacts. The sooner you let them know the account was hacked, the sooner they’ll know that any such request — or even the more traditional spam that might have come from your account — is bogus.
8. Start backing up
A common reaction to my recommendation that you let your contacts know is, “But my contacts are gone! The hacker erased them all, and all of my email as well!”
Yep. That happens.
It’s part of a hacker not wanting to leave a trail. They delete everything they’ve done, along with everything you have. Or had.
If you’re like most people, you’ve not been backing up your online email. All I can suggest at this point is to see if your email service will restore it for you. In general, they will not. Because the deletion was not their doing, but rather of someone logged into the account, they may claim it’s your responsibility.
Hard as it is to hear, they’re absolutely right.
Start backing up your email now. Start backing up your contacts now.
For email, that can be setting up a PC to periodically download the email or setting up an automatic forward of all incoming email to a different account, if your provider supports that. For contacts, it could be setting up a remote contact utility (relatively rare, I’m afraid) to mirror your contacts on your PC, or periodically exporting your contacts and downloading them, which is what I do.
9. Learn from the experience
Aside from “you should have been backing up”, one of the most important lessons to learn from this experience is to consider all the ways your account could have been hacked, and take appropriate steps to protect yourself from a repeat occurrence.
- Use strong passwords that can’t be guessed, and don’t share them with anyone.
- Use a password manager.
- Use two-factor authentication.
- Don’t fall for email phishing attempts. If an email asks for your password, it is bogus.
- Don’t click on links in email you are not 100% certain of. Many phishing attempts lead you to fake sites asking you to log in, and then steal your password when you try.
- If you’re using Wi-Fi hotspots, learn to use them safely.
- Keep the operating system and other software on your machine up to date, and run up-to-date security software.
- Learn to use the internet safely.
If you are fortunate enough to be able to identify exactly how your password was compromised (it’s not common), then absolutely take measures so it never happens again.
10. If you’re not sure, get help
If the steps above seem too daunting or confusing, then get help. Find someone who can help you get out of the situation by working through the steps above.
While you’re at it, find someone who can help you set up a more secure system for your email and advise you on the steps you need to take to prevent this from happening again.
Then follow those steps.
The reality is that you and I are responsible for our own security. That means taking the time to learn how to set things up securely and then doing so.
Yes, additional security can feel like an inconvenience. In my opinion, dealing with a hacked email account is significantly more inconvenient and occasionally downright dangerous. It’s worth the trouble to do things right.
If that’s still too much… well, expect your account to get hacked again.
Addendum: Is it my computer or not?
When faced with this situation, many people worry that malware on their computer is responsible.
That is rarely the case.
In the vast majority of these situations, your computer was never involved.
The problem is not on your computer. The problem is simply that someone else figured out your password and logged into your account. They could be on the other side of the planet, far away from you and your computer (and often they are).
Yes, it’s possible that a keylogger was used to capture your password. Yes, it’s possible that your PC was used improperly at an open Wi-Fi hotspot. So, yes, absolutely, scan it for malware and use it safely, but don’t think for a moment that once you’re malware-free, you’ve resolved the problem. You have not.
You need to follow the steps outlined here to regain access to your account and protect it from further compromise.
You’ll use your computer to do it, but your computer is not the problem.
Do this
In addition to all the steps above, I suggest one more step: share this article or video.
As I said, email account theft is rampant. Share this article with friends and family. Statistically, one of you will soon encounter someone whose account has been hacked and will need this information.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.



![Why Password Managers Are [Still] Safer than the Alternatives](https://bcdn.askleo.com/wp-content/uploads/2021/01/vault-1-300x158.jpg.webp)

For those who want peace of mind for their Gmail account I suggest buying two Yubikey’s (just the standard ones which require a USB port to work, which is $40 tops for two) as this way even if someone gets a hold of your username/password they still can’t get access to your Gmail account (this is the more secure form of two-factor authentication available as other forums are not fool proof unlike this which has not been bypassed yet and it’s been around for many years now). the reason I suggest (as far as I am concerned it’s required) buying two Yubikey’s is you use one of the two in general and keep one in a secure location so this way if you happen to lose your Yubikey you can always use the other to login to your account and remove the lost/stolen Yubikey and then you could simply buy another one and register it to your Gmail account so then you have two registered keys once again. this is solid advice because if some shady person gets a hold of your email account they can potentially use it to reset passwords etc for a lot of other accounts you got and can create a huge pain in the butt for you. so basically… transfer all of your important stuff you do online to a Gmail account secured by Yubikey and no one will be able to take over your account as it can’t be Phished etc. NOTE: those who register the two basic/cheapest Yubikey’s to their account you MUST have a device with a standard USB port on it to login to Gmail otherwise you cannot login (normally you just type in your username/password on Gmail but with YubiKey enabled you type in your username/password and then insert the Yubikey and tap the device with your finger and it will log you in). besides I suggest avoiding smart phones for anything important online as if one has too much stuff solely in their smart phone that’s just a security disaster waiting to happen as if someone steals it, your screwed. it’s best to use a proper desktop computer for doing important stuff online and always keep backups and one should be using a password manager as this way you get a unique password for ALL accounts you have online so if one account became compromised you ain’t got to worry about it being used against the other accounts since they will have different passwords on them. just make sure to make at least one backup copy of your password managers database and store it in a secure location. so this way if your computer’s hard drive dies, you can use the backup copy to restore the password managers database and your good to go again.
but those who are still using Yahoo email, I suggest moving anything important off of that to Gmail as it’s more secure as Yahoo has proven they can’t be trusted given the hacks in the past. Yahoo email can be okay as a backup account without anything important tied to it though but for anything important a person does online, Gmail is definitely more secure, especially once you set up the Yubikey’s with it.
Hi
I have some questions, hoping you will be able to shed some lights.
My employer is in education business, they use G suite account. I sometimes noticed the bottom right corner next to Details shows “being used in one other location” highlighted in “yellow; and “bold” . However, at that time, I did not login my school email account from other device, mobile or anything. After a while, it was unhighlighted but leaving the words “open in 1 other location”. The next day, I discovered the words of “open in 1 other location ” was not even there, so there was nothing next to “Details”. Tonight, I opened my account again, the “open in 1 other location” but not highlighted is still here.
I am suspecting my account can be accessed by my employer without my notice as the G suite administrator at school could do it.
Also, previously I noticed there was another IP address accessed my school email account several times, with similar IP address serial numbers, but only the last part of the no which was different, I suspected it was generated from a Central place. I went about on the internet to try to locate the IP address, but could not find anything as it says the IP address is wrong.
What is more scary was, I discovered that my personal hotmail email account was also hacked by a similar serial no. I wonder if the IT department from our school could help do such an evil things.
My friend told me to go to the Police as they might have high technology to trace the IP address.
I do not want to get paranoid over this, but I really want to know the truth.
Please kindly reply.
Thanks
Ms Cheung
More often than not it’s simply a browser or app you left running without explicitly signing out.
Good evening, I am hoping you can point me in the right direction please.
Bought a product online which asked me to login to my (new) account to download my purchase.
The login autofilled when I clicked onto it but although my email address was correct,right beside it there was an unknown name and web address which was presented without the @ symbol.
Should I be worried?
Appreciate your help / advice.
Probably not, but it really does boil down to the specifics. It sounds like nothing more than an errant entry in your browser’s auto-fill.
I just got an email from someone who claimed to be sending a photo from a mutual friend who has recently had a stroke. When I clicked on the link (stupid, I know), I got a “this site cannot be reached” message. Pretty sure the message was fake. But since I tried to open it, I’m wondering if that leaves me vulnerable in some way?
Small possibility, but unlikely. I’d do nothing more than remain vigilant.
You may want to comment on the difference between hacking your email account and spoofing your email account. Many people think their email has been hacked when in fact there is someone spoofing.
Good idea, but you could have explained it yourself 🙂
But seriously, spoofing is when a spammer or scammer sends out email using your email address. All they need to know is your name and email address and use it as a return address and voila, it’s been spoofed. No hacking skills are required. It’s similar to creating a fake social media account. All they need is your name and a few photos of you and voila, it’s been spoofed.
So, Leo, you’ve used the term “hacked” many times over the years in your fine articles. Please define “hacked”. Thanks.
Good point. It could mean many things. I think the base definition here would be “gained unauthorized access to”, regardless of the method.
Hi Leo,
Your last name means “walnut tree” in Dutch, so that fact might drive you nuts:
https://translate.google.com/?sl=nl&tl=en&text=notenboom&op=translate
(LOVE the newsletter – thank you!)
I’ve known that for many, many years. 🙂
I don’t know any Dutch but living in Germany, I figured it meant that. In German, your name would be Nussbaum.
Yep. And then include many (many) misspellings and mispronunciations (my name is spoken differently in Dutch than it is when speaking English) and mispronunciations of mispronunciations on immigration (think Ellis Island, though that’s not where my parents arrived), and you can understand why there are so many different names and variations.
No one listens . If my email has been hacked (password and contact phone has been changed)
HOW am I to sign in to change them. Hello !!!!! They have been changed (can’t sign in to change)
We do listen. It’s just that the answer isn’t what you want to hear: you must follow the account recovery steps offered by the provider carefully and completely. If those don’t work, then you can’t sign in. Your account is lost.
My Facebook hecked and Email hacked recovar my facebook id
We cannot recover hacked accounts, lost or forgotten passwords. Please see this article for more information on your options:
https://askleo.com/would_you_please_recover_my_password_my_account_has_been_hacked_or_ive_forgotten_it/
these articles discuss recovery options for the various ways that these accounts can be lost or compromised:
https://askleo.com/how_do_i_recover_my_facebook_log_in_password/ and/or
https://askleo.com/how-do-i-recover-my-hacked-facebook-account/
Unfortunately, if you no longer have access to the recovery email account or phone number, your account may be lost forever. It’s important to always keep these up to date on your account.
https://askleo.com/a-one-step-way-to-lose-your-account-forever/