Move quickly.
It’s not uncommon for someone somewhere to gain access to someone else’s Google account and use it to send spam or worse. Sometimes the account password is changed; sometimes not. Sometimes traces are left; sometimes not.
Sometimes the entire account is destroyed; you can lose your account permanently.
If you think that has happened to you, here’s what you need to do next.
Become a Patron of Ask Leo! and go ad-free!
Google account hacked!
If you suspect your Google account has been hacked:
- Recover access to your account.
- Change your password.
- Check or set your account recovery information.
- Let your contacts know.
- Learn from the experience.
- Get help if you need it.
1. Recover your account
Log in to your Google account right away. If you can, consider yourself very lucky and proceed to step 2.
If you can’t log in even though you know you’re using the correct password, then the hacker has probably changed your password.
Proceed to my article Lost Gmail Account Recovery With No Phone or Alternate Email. Google includes several recovery options provided you set them up beforehand. As long as you did, they may allow you to regain control of your account and reset your password.
Follow those instructions carefully and completely. I regularly hear from people who give up at the first sign of failure even though Google may offer additional options.
If that recovery method doesn’t work, it is no longer your account. Unless you backed it up, everything in it is gone forever, and you can skip the next two items. You’ll need to set up a new account from scratch.
2. Change your password
When you regain access to your account, or if you never lost it, immediately change your password.
As always, make sure it’s a good password: easy to remember, difficult to guess, and long. In fact, the longer the better.
But don’t stop here. Changing your password is not enough.
3. Change (or set) your recovery information
While the hacker has access to your Gmail account, they may elect to leave your password alone. That way, you may not notice the account has been hacked for a while longer.
But whether they changed your password or not, they may go in and change the recovery information.
The reason is simple: when you finally get around to changing your password, the hacker can follow the “I forgot my password” steps, reset the password out from underneath you, and hack your account again using the recovery information they set.
Check the alternate email addresses associated with your account and remove any you don’t recognize or no longer have access to. The hacker could have added his own. Make sure all the email addresses belong to you and that you will continue to be able to access those accounts.
Check any phone numbers associated with the account. The hacker could have set their own. Remove any you don’t recognize, and make sure that if a phone number is provided, it’s yours.
Overlooking information entered for account recovery could allow the hacker to hack back in. And, of course, failing to set any recovery information dramatically lessens the chances of recovering a hacked account. Take the time to carefully review and/or set up this information.
4. Let your contacts know
Some people may disagree with me, but I recommend letting your friends know your account was hacked, particularly if your account was sending spam while out of your control.
I believe it’s important so they know not to pay attention to messages received while the account was in someone else’s control. They can also be on the lookout for phishing attempts by the hacker using information gathered from your account while they had access to it.
5. Learn from the experience
One of the most important lessons to learn from this experience is to consider all the ways your account could have been hacked and take appropriate steps to protect yourself from a repeat occurrence.
- Use long passwords that can’t be guessed. Use a password vault so you can set truly secure passwords.
- Don’t share your password with anyone.
- Don’t fall for phishing attempts. If they ask for your password, they are bogus.
- Don’t click links in email or private messages you aren’t 100% certain of. Many phishing attempts lead you to bogus sites that ask you to log in and steal your password when you try.
- If you’re using Wi-Fi hotspots, learn to use them safely.
- Keep the operating system and other software on your machine up to date and run up-to-date anti-malware tools.
- Learn to use the internet safely.
- Consider enabling two-factor authentication so that simply knowing the password is not enough to gain access.
If you are fortunate enough to be able to identify exactly how your password was compromised (which isn’t common), absolutely take measures so it never happens again.
Do this
If you’re having difficulty with the process, make sure to follow the recovery process completely. There may be an option to ask Google for help. It’s unclear how responsive they are, and I wouldn’t expect a quick response by any means, but it may serve as a last resort. Or it may not be present.
While you’re at it, find someone who can help you set up a more secure system for your account by following the steps above.
The reality is that you and I are ultimately responsible for our own security. That means taking the time to learn and set things up securely. Yes, additional security can be seen as an inconvenience. In my opinion, dealing with a hacked account is significantly more than inconvenient. It’s worth the trouble to do things right in the first place.
I can help you with that. Subscribe to Confident Computing, my weekly newsletter with tips on how to stay safe and never lose your account again. Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
So, how do you back up gmail, especially your contacts?
You can back up your emails by using an email program like Thunderbird, Outlook.exe, or the Windows Mail App. Unfortunately, contacts can’t be backed up using those programs. You can use the Export Contacts function in Gmail.
Click om the “waffle” icon towards the upper right of Gmail or any logged in Google window, and click “Contacts”.
Click the Up arrow to export contacts, choose from Google.csv, Outlook.csv, or vCard. I suggest either Google.csv or Outlook.csv as they can be read by any spreadsheet program. Google.csv is best if you want to reimport them to Gmail.
All this can be avoided by performing three simple steps:
1. Set up recovery information for your email account(s).
2. Set up 2FA for those accounts. With 2FA enabled, your email account(s) can’t be accessed and your recovery information and password can’t be changed without your second device (for me, it’s my phone where I have the Microsoft Authenticator App installed).
3. Use a password manager, keep all your passwords in it’s vault, and set up a long master password that you won’t forget (I use several words run together in ‘camelCase’ format (the first word is all lowercase, then each additional word starts with a capitol letter, and I use a numeric character and some special character at the end, like ‘groovBoardLockerDog1#’ (a 20 character password!). This way the Master password is long enough to be very secure, and it’s easy to memorize and remember since it’s the only one you have to know by heart. Note: My real master password is very different :).
If you do the three things I listed above, you should never lose access to your email account(s) again. Further you should do these three things with all of your Internet accounts with the exception that you can use your password manager to create/generate your Internet account passwords. By using a password manager, you don’t even have to know what your Internet account passwords are because it knows them and takes care of authenticating you when you log into an account. These three things are what I do for any account I set up and I suggest you do the same.
Ernie (Oldster)
My google account hacked today 8 hours ago. I unable to access any google products and I am unable to recover with any of the recovery methods because of hacker removed all my recovery methods. Please help me out from this.
I am writing another email id because orignal one i unable to access. Please provide me the best solution.
Thank You.
(Sorry for the form response, but I get this question A LOT.)
Please review the account recovery options as outlined in this article: https://askleo.com/access-gmail-without-phone-verification/
If Google’s recovery process doesn’t work for you — maybe you don’t have the recovery email or phone — MAKE SURE to follow Google’s instructions CAREFULLY and COMPLETELY.
If the recovery process can’t be made to work, I know of no way to recover the account. If that’s your situation I’m very sorry.
If you DO recover your account you’ll want to check the steps in this article to prevent losing it again (it discusses Facebook, but the steps apply to Google as well): https://askleo.com/facebook-hacked/
I believe I was hacked online I could not recover any of my information so I had to get a new phone set up a new account couldn’t recover anything so they still have access but I did change the password