It’s not uncommon for someone somewhere to gain access to someone else’s Google account and use it to send spam or worse. Sometimes the account password is changed; sometimes not. Sometimes traces are left; sometimes not.
Sometimes the entire account is destroyed; you can lose your account permanently.
If you think that has happened to you, here’s what you need to do next.
Become a Patron of Ask Leo! and go ad-free!
Google account hacked!
If you suspect your Google account has been hacked:
- Recover access to your account.
- Change your password.
- Check or set your account recovery information.
- Let your contacts know.
- Learn from the experience.
- Get help if you need it.
1. Recover your account
Log in to your Google account right away. If you can, consider yourself very lucky and proceed to step 2.
Proceed to my article Lost Gmail Account Recovery With No Phone or Alternate Email. Google includes several recovery options provided you set them up beforehand. As long as you did, they may allow you to regain control of your account and reset your password.
Follow those instructions carefully and completely. I regularly hear from people who give up at the first sign of failure even though Google may offer additional options.
If that recovery method doesn’t work, it is no longer your account. Unless you backed it up, everything in it is gone forever, and you can skip the next two items. You’ll need to set up a new account from scratch.
2. Change your password
When you regain access to your account, or if you never lost it, immediately change your password.
As always, make sure it’s a good password: easy to remember, difficult to guess, and long. In fact, the longer the better.
But don’t stop here. Changing your password is not enough.
3. Change (or set) your recovery information
While the hacker has access to your Gmail account, they may elect to leave your password alone. That way, you may not notice the account has been hacked for a while longer.
But whether they changed your password or not, they may go in and change the recovery information.
The reason is simple: when you finally get around to changing your password, the hacker can follow the “I forgot my password” steps, reset the password out from underneath you, and hack your account again using the recovery information they set.
Check the alternate email addresses associated with your account and remove any you don’t recognize or no longer have access to. The hacker could have added his own. Make sure all the email addresses belong to you and that you will continue to be able to access those accounts.
Check any phone numbers associated with the account. The hacker could have set their own. Remove any you don’t recognize, and make sure that if a phone number is provided, it’s yours.
Overlooking information entered for account recovery could allow the hacker to hack back in. And, of course, failing to set any recovery information dramatically lessens the chances of recovering a hacked account. Take the time to carefully review and/or set up this information.
4. Let your contacts know
Some people may disagree with me, but I recommend letting your friends know your account was hacked, particularly if your account was sending spam while out of your control.
I believe it’s important so they know not to pay attention to messages received while the account was in someone else’s control. They can also be on the lookout for phishing attempts by the hacker using information gathered from your account while they had access to it.
5. Learn from the experience
One of the most important lessons to learn from this experience is to consider all the ways your account could have been hacked and take appropriate steps to protect yourself from a repeat occurrence.
- Use long passwords that can’t be guessed. Use a password vault so you can set truly secure passwords.
- Don’t share your password with anyone.
- Don’t fall for phishing attempts. If they ask for your password, they are bogus.
- Don’t click links in email or private messages you aren’t 100% certain of. Many phishing attempts lead you to bogus sites that ask you to log in and steal your password when you try.
- If you’re using Wi-Fi hotspots, learn to use them safely.
- Keep the operating system and other software on your machine up to date and run up-to-date anti-malware tools.
- Learn to use the internet safely.
- Consider enabling two-factor authentication so that simply knowing the password is not enough to gain access.
If you are fortunate enough to be able to identify exactly how your password was compromised (which isn’t common), absolutely take measures so it never happens again.
If you’re having difficulty with the process, make sure to follow the recovery process completely. There may be an option to ask Google for help. It’s unclear how responsive they are, and I wouldn’t expect a quick response by any means, but it may serve as a last resort. Or it may not be present.
While you’re at it, find someone who can help you set up a more secure system for your account by following the steps above.
The reality is that you and I are ultimately responsible for our own security. That means taking the time to learn and set things up securely. Yes, additional security can be seen as an inconvenience. In my opinion, dealing with a hacked account is significantly more than inconvenient. It’s worth the trouble to do things right in the first place.
I can help you with that. Subscribe to Confident Computing, my weekly newsletter with tips on how to stay safe and never lose your account again. Less frustration and more confidence, solutions, answers, and tips in your inbox every week.