It depends on what they did and what you did the first time.
Quite possibly, yes.
There are a number of things they could have done that would allow them to regain access. Fortunately, they’re mostly things in your control.
Assuming you know how to control them.
Become a Patron of Ask Leo! and go ad-free!
Preventing getting hacked again
After regaining access to a hacked email account, it’s crucial to:
- Update recovery information, as hackers often add their own. Check and secure alternate emails, phone numbers, and security questions.
- Ensure devices are malware-free, as keyloggers can capture your new password.
- For ongoing security, use two-factor authentication, strong unique passwords, and regularly review recovery options.
The most common way hackers get back into your account is by changing or adding recovery information while they have access to it the first time.
For example, they might add an alternate email address under their control. After you recover the account using your recovery information, all they need to do is repeat the process using their own, and they’re back in.
The solution is simple: once you regain access to an account, make absolutely certain to confirm that all the recovery information is accurate. Make sure alternate email addresses are yours, make sure phone numbers are yours, and make sure security questions are yours. If there are other items that can be used as recovery, such as recovery codes1 or two-factor authentication devices, make sure those are yours as well.
If any of them have been changed (or are no longer accessible to you), then indeed, you could lose access to the account. Again.
This is perhaps the second most common way hackers can re-hack.
If your account was hacked due to malware on your device, and you’ve not discovered and removed that malware, then the hacker can easily regain access. A keylogger, for example, would allow them to capture any updated password as you update it.
This is rare, but if the hacker has signed into your account and has the “remember me on this computer” item checked when they do so, it’s possible that the sign-in could persist across a password change on your part.
I say rare because most services are smart enough to invalidate all those “remember me” sessions when a password changes.
Unfortunately, unless there’s a “sign out everywhere” option provided by the service you’re using, there’s little to be done other than be alert for suspicious activity.
This is new, and like saved passwords, I expect it to be rare. It’s possible that once signed into your hacked account, a hacker could establish a passkey on their computer.
I say this should be rare for the same reason as saved passwords above: I’d expect the service to invalidate all passkeys if you change a password or perform some kind of account recovery.
Nonetheless, once you regain access to your account, make certain to check the passkeys listed and remove/disable any you don’t recognize.
Some of our accounts are used for more than one thing. For example, a Microsoft account includes access to email at Outlook.com, cloud storage at OneDrive.com, and is often used as your Windows sign-in account.
Again, it should be rare — in fact, so rare it should never happen — but theoretically, this could open a door for the hacker to regain access to your account.
As you recover from a hacked account, ensure that all services associated with that account are secured using your new password or other updated information.
Ongoing security breaches
I’ve never heard of this happening, but it’s worth being aware of the possibility.
Let’s say your account password was discovered because the service you used had a breach of some sort.
If that breach has not been discovered — in other words, it’s ongoing and the hacker still has access to the service’s database — then they could access any password updates as well.
If your account is hacked, make sure to review all the possibilities listed above. Above all, change or verify your recovery information immediately. Changing your password is not nearly enough.
Then, hacked or not, to ensure your account security:
- Add two-factor authentication to significantly reduce the chances of your account being hacked in the first place.
- Use strong, and most importantly, unique (different for absolutely every sign-in) passwords.
- Regularly check and update your recovery options. This is the most common reason people lose access to their accounts permanently.
- Ensure your devices are secure and malware-free.
Perhaps also subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Footnotes & References
1: Since recovery codes are usually displayed only once when set up or changed, there’s typically no way to know if they’ve been changed. To be safe, reset them anyway.