The steps you need to take as soon as possible.
It seems like not a day goes by when I don’t get a question from someone that boils down to their email account having been hacked.
Someone, somewhere, has gained access to their account and is using it to send spam, access other online accounts, hassle contacts, and more. Sometimes passwords are changed, sometimes not. Sometimes traces are left, sometimes not. Sometimes everything in the account is erased — including contacts and saved email — and sometimes not.
If that’s happening to you, your email account has been hacked.
Here’s what to do next.
Become a Patron of Ask Leo! and go ad-free!
If your email has been hacked, here’s how you fix it.
- Recover your account.
- Change your password.
- Verify and/or change your account recovery information.
- Set up two-factor authentication.
- Check your out-of-office messages, auto-responders, forwards, and signatures.
- Check all related accounts for possible compromise.
- Let your contacts know.
- Start backing up.
And perhaps above all, learn from the experience so it doesn’t happen again.
1. Recover your account
Log in to your account using your email provider’s website.
If you can log in successfully, consider yourself extremely lucky and proceed to Step 2 right away.
You must then use the “I forgot my password” or equivalent account recovery options offered by the service.
This usually means the service will send password-reset instructions to an alternate email address that you have access to, or send a text message to a mobile phone number you set up previously.
If the recovery methods don’t work — because the hacker changed everything or because you no longer have access to the old alternate email or phone — you may be out of luck.
If recovery options don’t work for whatever reason, your only recourse is to use the customer service phone numbers or email addresses provided by that email service. For free email accounts, there is usually no customer service. Your options are generally limited to self-service recovery forms, knowledge base articles, and official discussion forums where service representatives may (or may not) participate. For paid accounts, there are typically additional customer service options that are more likely to be able to help.
Important: If you cannot recover access to your account, it is now someone else’s account. I can’t stress this enough. It is now the hacker’s account. Unless you’ve backed it up, everything in it is gone forever, and you can skip to Step 6. You’ll need to set up a new account and start over.
Once you regain access to your account (or if you never lost it), immediately change your password.
As always, make sure it’s a good password: easy to remember, difficult to guess, and long. In fact, the longer the better, but make sure your new password is at least 12 characters, and ideally 16 or more (if the service supports it).
But don’t stop there.
3. Change or confirm your recovery information
While a hacker has access to your account, they might leave your password alone so you won’t notice the hack for a while longer.
But whether or not they change your password, they may change all the recovery information.
The reason is simple: if you change your password, the hacker can follow the “I forgot my password” steps and they can reset the password out from underneath you, using the recovery information they set.
Thus, you need to check all of it — and change much of it — right away.
- Change the answers to your secret questions if your account uses them. They don’t have to match the questions (you might say your mother’s maiden name is “Microsoft”, for example); all that matters is that the answers you give during a future account recovery match the answers you set today.
- Check the alternate email address(es) associated with your account and remove any you don’t recognize. The hacker could have added his or her own. Make sure you have alternate email addresses configured and that they are accounts that belong to you that you can access. I really can’t emphasize that last point enough: the number of accounts that are lost because folks could not access the recovery email address is amazing.
- Check any phone numbers associated with the account. The hacker could have set their own. Remove any you don’t recognize. Make sure that if you provide a phone number, it’s yours and no one else’s, and you have access to it. As with alternate email addresses, I really can’t emphasize the last point enough: the number of accounts that are lost because people could not access the recovery mobile number is scary.
These are the major items, but many services use additional information for account recovery. Take the time now to research that information. If it’s something a hacker could change, change it.
Overlooking information used for account recovery allows the hacker to easily hack back in. Make sure you take the time to carefully check and reset all as appropriate.
It’s a simple trap too many people fall into, causing them to lose their email account forever. Check out A One-step Way to Lose Your Account… Forever.
4. Set up two-factor authentication
If you don’t have it enabled on your account already, now is the time to enable two-factor authentication.
Why? Because if you had enabled it, you wouldn’t be here. Two-factor authentication means that even if hackers discover your password, they still can’t sign in. They don’t have the second factor — your phone, an authentication app, access to a specific email address, etc. — that only you do. Without that access, they simply can’t get in.
And don’t let the hype about SMS being less than secure stop you, if that’s your only option. A) It’s more than secure enough for the average user. B) It’s still better than no two-factor authentication at all.
5. Check “out of office” messages, reply-to, forwards, and signatures
If your email service provides an out-of-office or vacation-autoresponder feature or some kind of automatic signature that appears at the bottom of every email you send, it’s possible people already know you’re hacked.
Hackers often set an auto-responder in a hacked account to automatically reply with their spam. Each time someone emails you, they get this fake message in return, often written so it sounds like you sent it.
If your account includes the ability to set a different “Reply-To:” email address, make sure that hasn’t been set. Hackers can set this so individuals who think they’re replying to you end up replying to the hacker instead.
Make sure your email is not being automatically forwarded to another email address. If it’s available, hackers often set this option to receive copies of every email you get. They can use this to break into your account again, even after you recover it.
Check any signature feature the service supports. Hackers often set up a signature so that every email you send includes whatever they’re promoting, including a link to a malicious web site.
This is perhaps the scariest and most time-consuming aspect of account recovery. The risks are high, so understanding this is important.
While the hacker has access to your account, they have access to your email, including past and current emails as well as what arrives in the future.
Let’s say the hacker sees that you have a notification email from your Facebook account. The hacker now knows you have a Facebook account, and the email address you use for it. The hacker can go to Facebook, enter your email address, and request a password reset.
That password reset is sent to your email account… which the hacker has access to.
As a result, the hacker can now hack your Facebook account by virtue of having hacked your email account.
In fact, the hacker can now gain access to any account associated with the hacked email account.
Like your bank. Or PayPal.
Let me say that again: because the hacker has access to your email account, he or she can request a password reset be sent to it from any other account for which you use this email address. In doing so, the hacker can hack and gain access to those accounts.
What you need to do: check your other accounts for password resets you did not initiate and any other suspicious activity.
If there’s any doubt, consider changing the passwords on all those accounts as well. (There’s a very strong argument for checking or changing the recovery information for these accounts, just as you checked on your email account, for all the same reasons.)
7. Let your contacts know
Some disagree with me, but I recommend letting your contacts know your account was hacked, either from the account once you’ve recovered it or from your new email account.
Inform all the contacts in the online account’s address book, because that’s the address book the hacker had access to.
I believe it’s important to notify your contacts so they know not to pay attention to email sent while the account was hacked. Occasionally, hackers try to impersonate you to extort money from your contacts. The sooner you let them know the account was hacked, the sooner they’ll know that any such request — or even the more traditional spam that might have come from your account — is bogus.
8. Start backing up
A common reaction to my recommendation that you let your contacts know is, “But my contacts are gone! The hacker erased them all, and all of my email as well!”
Yep. That happens.
It’s part of a hacker not wanting to leave a trail. They delete everything they’ve done, along with everything you have. Or had.
If you’re like most people, you’ve not been backing up your online email. All I can suggest at this point is to see if your email service will restore it for you. In general, they will not. Because the deletion was not their doing, but rather of someone logged into the account, they may claim it’s your responsibility.
Hard as it is to hear, they’re absolutely right.
Start backing up your email now. Start backing up your contacts now.
For email, that can be setting up a PC to periodically download the email or setting up an automatic forward of all incoming email to a different account, if your provider supports that. For contacts, it could be setting up a remote contact utility (relatively rare, I’m afraid) to mirror your contacts on your PC, or periodically exporting your contacts and downloading them, which is what I do.
9. Learn from the experience
Aside from “you should have been backing up,” one of the most important lessons to learn from this experience is to consider all the ways your account could have been hacked, and take appropriate steps to protect yourself from a repeat occurrence.
- Use strong passwords that can’t be guessed, and don’t share them with anyone.
- Use a password manager.
- Use two-factor authentication.
- Don’t fall for email phishing attempts. If an email asks for your password, it is bogus.
- Don’t click on links in email you are not 100% certain of. Many phishing attempts lead you to fake sites asking you to log in, and then steal your password when you try.
- If you’re using WiFi hotspots, learn to use them safely.
- Keep the operating system and other software on your machine up to date, and run up-to-date security software.
- Learn to use the internet safely.
If you are fortunate enough to be able to identify exactly how your password was compromised (it’s not common), then absolutely take measures so it never happens again.
10. If you’re not sure, get help
If the steps above seem too daunting or confusing, then get help. Find someone who can help you get out of the situation by working through the steps above.
While you’re at it, find someone who can help you set up a more secure system for your email and advise you on the steps you need to take to prevent this from happening again.
Then follow those steps.
The reality is that you and I are responsible for our own security. That means taking the time to learn how to set things up securely and then doing so.
Yes, additional security can feel like an inconvenience. In my opinion, dealing with a hacked email account is significantly more inconvenient and occasionally downright dangerous. It’s worth the trouble to do things right.
If that’s still too much… well, expect your account to get hacked again.
11. Share this article
As I said, email account theft is rampant.
Share this article with friends and family. Statistically, one of you will soon encounter someone whose account has been hacked and will need this information.
Addendum: Is it my computer or not?
When faced with this situation, many people worry that malware on their computer is responsible.
That is rarely the case.
In the vast majority of these situations, your computer was never involved.
The problem is not on your computer. The problem is simply that someone else figured out your password and logged into your account. They could be on the other side of the planet, far away from you and your computer (and often they are).
Yes, it’s possible that a keylogger was used to capture your password. Yes, it’s possible that your PC was used improperly at an open WiFi hotspot. So, yes, absolutely, scan it for malware and use it safely, but don’t think for a moment that once you’re malware-free, you’ve resolved the problem. You have not.
You need to follow the steps outlined here to regain access to your account and protect it from further compromise.
You’ll use your computer to do it, but your computer is not the problem.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & references
As I update this article periodically over the years, the list has grown from 7 to 10 items. Don’t let that stop you from taking all the steps to recover and keep your account secure.