Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Changing Your Password After a Hack May Not Be Enough

There’s more to account security than the password.

Changing your password is a common response to account hacks. Unfortunately, it isn't enough.
A bright and simple photorealistic image showing a computer screen displaying a password change interface, with a large padlock icon. The background is minimal, with faint outlines of a smartphone and a tablet, emphasizing multiple access points. A person’s hand is seen typing on the keyboard, indicating action being taken to secure the account.
(Image: DALL-E 3)

I often hear from people who’ve had their email or other online account compromised, recovered access, and changed their password, only to have the account stolen again almost immediately.

The solution is a bit of work.

First, realize that while someone else has access to your account, they have access to everything related to that account.

As a result, changing your password isn’t enough. You need to do more.

Become a Patron of Ask Leo! and go ad-free!


Changing your password after a hack

After recovering a hacked account and changing the password, immediately verify all recovery information, such as email addresses, phone numbers, and security questions. Ensure everything is yours to prevent the hacker from using them to quickly regain access.

Recovery information

You authenticate with most online systems by providing a username or an email address plus a password. Your username may be publicly visible, but only you should know1 your password.

Most systems also provide a mechanism to recover or reset your password should you forget it. They use a variety of means that all boil down to the same thing: additional pieces of information you provided when you set up the account (or added to the account later2). These are often referred to as recovery information. They validate you are who you say you are by matching the information you set up originally.

If your account is ever compromised, it’s recovery information that presents the greatest risk.

Let’s look at some examples of what I mean, why it’s a risk, and what you should do about each.

Email addresses

Most online accounts require your email address. For some accounts, it acts as your username. For others, it’s simply a contact mechanism. For email accounts, there are also “alternate” email addresses.

Systems often provide the ability to send a password reset message to the email address of record (or the alternate email address) should you lose your password. Since only you could have set it up, by definition, that email address should be yours. Your ability to receive a message at that address confirms you are the rightful account holder.

Once a hacker compromises your account, they immediately change the email address or alternate email address to one they have access to. That way, if you request a password reset, they’ll get it, not you. If you manage to change the password, all the hacker has to do is request a password reset and they’ll regain access to the account.

What you should do. Once you’ve regained access to your account, verify that all email addresses associated with the account are yours. If they aren’t, change them right away.

Mobile numbers

Many service providers offer the ability to associate a mobile (or sometimes landline) phone number with your account. Some even require one.

As you proceed through an account recovery process, they can text or voice call you with a code. Your ability to provide the code proves you have the phone at that number. Since you set it up, you must be the authorized account holder.

By now, you probably realize that once a hacker has access to your account, they can change that number to their own. Any mobile-based account recovery attempts are then redirected to the hacker.

What you should do. As soon as you get back into your hacked account, confirm that all the phone numbers associated with it are still your own. If they aren’t, change them right away.

Billing information

It’s rare, but some systems use billing information, such as a credit card number on file or your billing address, in account recovery and validation. If you have this kind of information on file:

  • A hacker may use the credit card, potentially racking up charges that you may or may not be liable for.
  • A hacker can change it so if it’s used for account recovery purposes, it’s the hacker who regains access, not you.

What you should do. Confirm, change, or remove this information as soon as you get your account back. Check your credit card account immediately for any improper charges.

Secret questions

No service should use secret questions anymore. They’re just not secure because answers may be easily discovered online or elsewhere, yet some providers continue to use them. And, like the items above, if a hacker gets in, they can change the answers to their own.

What you should do. Once you’ve regained access to a hacked account, change all your secret answers immediately. Even if they’ve been untouched, the attacker could have written your answers down for use later.

Sometimes you get notified

Many services send a notification or even require a confirmation when security or recovery information for your account is changed.

If it’s a notification for a change you did not initiate, you need to act quickly to regain access to the account, undo the changes, and change the password.

If it’s a confirmation for a change you did not initiate, then do not confirm. Once again, regain access to the account and confirm everything is as it should be.

Unfortunately, not all services provide these notifications, but as you can see, they’re incredibly valuable when they do.

Between a rock and a hard place

There’s one scenario I need to call out as an example because it can result in permanent account loss.

  • You want to recover your account or make a security-related change of some sort.
  • The service sends a code to an email address or phone number configured in the account.
  • You no longer have access to the email address or the phone number; they’re old.
  • There’s no way to confirm you’re the rightful account holder, and you lose your account.

What you should do. Always make sure that the recovery information on all your accounts is up to date. It’s that simple.

Do this

You can see a pattern: any and all information you can use to recover your account should be validated, removed, or changed the instant you get your account back. That includes personal information, PINs, secret questions and answers, alternate email addresses, phone numbers, and more: anything the system uses for account validation and recovery.

If you don’t, it’s possible you could recover your account only to find it hacked again within minutes.

Before you run into trouble, increase the security of your account by adding two-factor authentication. This dramatically reduces the odds that your account could get hacked in the first place.

Want another way to stay on top of current security options? Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio


Footnotes & References

1: Using a password vault counts as “knowing”.

2: Like after reading this article.

56 comments on “Changing Your Password After a Hack May Not Be Enough”

  1. This may be the most valuable information regarding personal cyber security that I have ever seen. All the anti-virus programs and firewalls in the world will do little good if you’re blabbing your “secret” information to the world via social networking sites.

    This is precisely how Sarah Palin’s e-mail account was hacked. A malicious individual, seeing publicly-available details about her, was successfully able to provide the correct answers to the security questions Mrs. Palin used for one of her e-mail accounts. Through this vulnerability, the hacker obtained access to the governor’s personal e-mail.

    Thank you, Leo, for such thorough coverage of this personal security problem.

  2. The 2nd email address could be used to break the hacker’s stranglehold on the primary account if the primary mail provider were to automatically refer to the 2nd mail address all changes made to password and proposed changes to 2nd mail addess – i.e. effectively pass master control of the primary account to the 2nd account. Do I get a prize for that idea?!!

  3. A bigger problem is that the major webmail players have password recovery mechanisms that do not even rely of ‘secret’ questions, but rather a recollection or best guess of how you have used the service.

    For example, GMail’s Password Recovery page starts with, “If you’ve already tried to reset your password and you’re still unable to access your Google Account, fill out the form below. Please answer each question as thoroughly and accurately as possible; the strength of your answers will determine if we can return your account. If you’re not certain about some of the dates, provide your closest estimate.”

    The problem here is that a hacker gets to offer an alternate ‘alternative’ email address and answer a few questions about what other Google services the user might have used (along with estimates of dates) . . . and a few other tidbits that are not super difficult to work out. If the mix seems probable to Google they sent a reset email to the proferred alternate email address.

    In other words, if a hacker can work out what other Google services this user has and the approximate creation dates, he or she had a pretty good chance of taking control of the account.

  4. While I have had no difficulties in this area (knock on wood), I remain concerned. I check credit card charges at least twice a month and my credit card and debit card likewise, so I think I’m on top of this problem. Incidentally, my ISP has withheld emails because they are questionable and appear to be complete strangers to me.

  5. I believe that my computer has been compromised to a degree. Several months ago,I don`t even remember when, I checked to see if I was the only name logged into my computer. To my amazement I was NOT the only person logged in. I kinda freaked and shut my computer down without writing down the “other” name.I have checked back often but found no one else logged in; this might be due to the fact that I have gotten a router.Just a couple of weeks ago I was going to log into my yahoo email account but I saw my computer password already typed into the space provided. I still get those stew-pid nigerian scams about money but, I always just delete them. I believe the unsolicitated emails of offers to view womens` private photos and chat sessions with unknown women,supposedly are nothing but hacking or spoofing scams. My yahoo email account hasn`t been hacked but I have suspicions that my computer is watched by parties unknown.

  6. In regard to ‘secret’ questions; if you have a set question there are limited ‘truthful’ answers. Try using one or two universal answers for all secret questions on all your web-based security. Like, Mothers maiden name? Venus, or blue whale, or Mitsubishi, or River Phoenix, and First pet you had? River Phoenix, Mitsubishi… etc.
    This makes guessing the answers nearly impossible and we’ve now made the answers endless, rather than the limited truthfull stock – AND it makes ur answers easy to remember IF you stick to the same ones all the time.
    FYI – Some profile setting areas in some web sites will show you your ‘secret answers’ which make the secret viod if you account is hacked.

  7. Thank you so much for this. My gmail account was hacked just this morning, and although I logged the hacker out and changed my password to a much stronger one, I hadn’t thought about any of these other possibilities until I read this article, and I’m so glad I did.

  8. I have always added a contact to my e-mail contact lists. I add:
    Since this does not exsist, and will be the first email address to be used (alphabetically) anytime mail is sent from me (bulk, all included) I get a notice that it could not be delivered to that account. Since I know I would not have sent to that contact, I know something is wront.

    The usefulness of that approach (having a bogus address early on in the address book) has been highly overrated. I wouldn’t bother.


    • I do have a couple of my different addresses in my address book.
      Unless they are alert, I would get a copy of the message(s) sent out.

  9. Quick Side Note: do a Google/Bing/Yahoo Search for your Email Address. If any Results POP up with your address… then its guaranteed that SPAMMERS already have your address, and have been causing mischief.

    Okay, Moving on:
    If you are being Blamed for SPAM’ing People who you do NOT know, and by people that you have NEVER emailed before (aka, ‘Strangers’)…. then its probably NOT you. Your account was ‘probably’ Never compromised.

    However, If you are being Blamed for SPAM’ing People who you Do know, and by people who you DO email (aka, ‘Your Friends’)… then your account COULD be compromised.
    In fact, if almost Everyone who complains is one of your ‘Friends’; and they ALL say the Spam came from you, then take it as a Higher & Higher probability it’s Your Account thats the source.

    Most likely, Your Email account Was hacked at some point in the Past, the hacker exported out your entire AddressBook; and has now finally begun Spamming all your addressbook-friends.
    Important Note: 10 years ago, the spam came directly from your friend’s infected windows pc. once he cleaned the infection, the spamming stopped.
    However, this SPAM 2.0 has a new TWIST: the spam is being delivered via someone’s open-relay-server. removing the infection on your friend’s windows pc will NOT stop the Spam from the Relay server.

    Let me Over-simplify with this quick analogy:
    It is the equivalent to ‘Me’ Crashing ‘Your’ Wedding, then Copying down All the Names & Addresses of everyone who signed ‘your’ GuestBook, then ‘me’ quietly sneaking out the back door… and then 2 weeks later i start phoning all ‘your’ Guests asking them to buy this magic Viagra medicine… but i pretend to be YOU on the Phone!!!

    if you can Grasp this Analogy… then now you Understand the full problem.

    EVERYBODY who signed the Guestbook loses in this scenario. You ‘could’ Close out your email account and go get a New one (Change teh locks on your doors, change your phone#, and/or move to a new House); but the SPAMMER (me) still has the contact info of ALL your Friends… So they are STILL going to get annoying phone calls from Me.
    Thus, no real escape for your friends… Unless they ALL Change their Phone #’s and move to new houses as well (Highly unlikely).

    But even if they Did… as soon as i Crash the Next Wedding… the cycle will Start over again!!

    Best Solution:
    Go get a Drink!

  10. There is yet another problem.

    A bad guy could set up a forwarding rule such that all your email is forwarded to him. No need for passwords after that. You still get your email and the bad guy never needs to logon to your account again, after the first time.

    Probably a good idea, after a webmail password is stolen, to review ALL the account settings.

    This is one thing, at least, that Hotmail is good at – if a forwarding rule has been set there’s a big notification at the top of your inbox that tells you so. I’m sure that varies from provider to provider. Next time I update this article I’ll include your point – thanks.


  11. One little trick I read about: in case you have been compromised, and there is a change that a key logger has been installed on your computer. Changing your passwords might be pointless since all your key strokes are being watched.

    A temporary way around this a the Ease of Access On Screen Keyboard (don’t know if Macs have this). From what I understand, clicking the keys via your mouse doesn’t get recorded on the key logger.

    I’ve recently changed all my passwords because my social network account was comprised. I changed my security questions and answers to something you wouldn’t know just from looking around my Facebook account.

    I’m probably going to reformat my computer anyway, just to be safe. Its annoying, sure, but I’d feel better knowing I’ve wiped my computer of anything my Norton probably missed. Good thing I have back ups.

    That approach is not guaranteed to bypass keyloggers. Please read this article: Is there a way to bypass keyloggers?


  12. Your articles were THE best of any I was able to find on the web. Most other sources did not provide enough details on what to look for to understand what the hacker actually did. You laid out the nuances of the way an account can be hacked and the signs to look for to tell what they actually do you have emails sent by the hacker in your sent box or not. Very helpful. THANKS!

  13. I am more worried that my friends are getting spam from “me.” If I totally change my email address, delete the old one, will the spam continue?

    It depends on how they’re getting spam “from” you. If your account has been hacked, the only thing to “stop” it is to regain access to the account. Even then the hackers may not stop as they’ll have your friend’s addresses. If the spam is not from your account directly, but simply shows you as a spoofed sender, then there’s nothing you can do.


  14. My account has been hacked and all of my contacts have been sent a link to a webpage. However of the things you suggested to look for nothing appears to have been changed (i.e. mobile number, back up email) i have changed my password and security question but am doubtful of how much this will help so was wondering if there was anything else you would suggest? My iphone is also linked to my account so i dont know if this could be the problem?

    Hackers often don’t change anything so that people aren’t quite as quick to notice that their account has been hacked. You need to change anything and everything that the hacker might use to force a password reset.


  15. I just found out my family account was hacked (the “want more pleasure?” link was sent to some of our contacts.) The thing is….does it for sure mean some person in another place was sitting there, going through our account? it’s our head account, which is connected to your ATT account, which lists our address and phone number. Should I panic?

    Quite possibly yes – someone somewhere was logged into the account going through it. I’m not sure what “connected to your ATT account” might mean, but ultimately you must assume someone was able to login to your account as you.


  16. A few months ago my husband had the same problem. We ended up deleting that email and giving him a new one. We had no more problems, until a couple days ago when my att yahoo mail became compromised. I really need to keep this email address. So I am trying to stop this by changing things such as password, a new sign in key, and changing anything in the options on my account that may have allowed this compromise. Then I discovered it would not allow me to access my contacts. I’m still working on that….

  17. Of late my contacts are getting emails from me about weird stuff that I never send them.I have changed my password and all security questions.Is there anything else I need to do? Is my account information safe? Will I have to make a new account?

  18. how can i change the alternative e-mail, who is not mine, my e-mail has been hacked and there is another alternative e-mail. Please tell me how to change it, because when i want to change, the e-mail goes to that another alternative e-mail.

  19. @Bess
    If your email has been hacked and the password and alternative email had already been changed, then it may be too late to recover your email account.

  20. someone told me only PCs get hacked. Apples don’t. Is that true?

    Accounts are getting hacked at an alarming rate, and that’s completely independant of what type of computer you use. Mac’s can get hacked, but it’s much less common.

  21. @Diane,
    It’s not so much that Apples aren’t hackable, as that there is so many more PC’s. So hackers concentrate their energies on the easy pickin’s

  22. I have two hotmail accounts. I can’t sign out of either. It tells me to erase all cookies. I have it set up so I have to sign in each time. Not sure what to do. My address book was hacked and porn emails went out to all my contacts. I did all of the above, but actually there wasn’t much to do. No secret questions or alternate email addresses. I just have this haunting feeling it’s open all the time.

  23. My email address starting sending out spam today. (The culprits may have waited deliberately till April fools day for this.) It sent out an email to a number of recipients from my contacts list. I only discovered it by accident because one of these addresses is now defunct. The email bounced back, showing me the list of recipients.

    So here’s an idea TO LET YOU KNOW pretty quickly if your address is sending spam. Enter a dummy fake email into your contacts list. Then it will be sure to bounce back, letting you know within good time of unauthorized activity.

  24. Leo has great info here

    do NOT ANSWER THEM appropriately
    MAKE up answers to them – Favorite Dog’s name – automobile
    WHO CARES what the answer is !!!

    Now, the important part is
    AND, in a FREE TEXT NOTES field per entry, RECORD the SECRET QUESTIONS, and their answers !!!!

    Yes, this makes it important that if you are working on a specific logged in account, yhou need the data inside that password manager to access parts of the account.
    BUT, that is the PURPOSE of SECURITY –
    it may make it a little harder on you, but YOU are PROTECTING YOUR DATA !!!!

    And with the government freely allowing hackers to HACK the government employee data, AND the data on relatives, etc, then MAKE YOUR DATA HARDER to access !!!!

    And, regarding two-factor authentication –
    it is NOT a breeze to use. Suppose I’m at a computer and I DO NOT have a phone with me , or battery is dead – and the two factor authentication is the phone??

    I’m cooked

    Alternate email, or codes sent to email, does help somewhat more,, because if I’m at my computer, I probably have access to my email (but not always)

    There are other alternatative methods also, but no one has made an easy system, in my opinion.

    anyway, this is just my humble two cents worth

    • Most all two-factor authentication schemes (at least those done properly) allow you to ALSO generate one-time passwords that you keep in a safe place. Each can be used exactly one time – long enough to login and turn of 2FA if you’ve lost your device.

    • I’d add to what Leo said, that in case you ever really need to change your password,for example, if the passwords were really compromised, adding even one character er would make it a completely different password, over 100 times stronger than the previous one. So you might keep that in mind for the future.

      I’m using the same password since the early 90s. The original was 7 characters, it grew to 10 and I’ve added a few gradually ever since. The last few characters are unique for each important website and application.

      In a case like LastPass where an email address is associated with your account, and it’s too difficult to change your password, you can simply change the email address associated with your account. That way, even if they were able to crack the email-password combination, they wouldn’t be able to associate the cracked password with the new email address in a million years (almost literally).

  25. Check your email account activity for unauthorised access logins .
    Hotmail/Outlook/Gmail provide this service including a drop down map, date and time of attempted and successful access of your account..
    I get attempted unauthorised attempts every week from around the world and from other states .
    Successful logins from a location you do not know are the signs to look for.
    Google for procedure.

  26. Recently all my gmails have been sent to the Trash before they
    are retreived in the inbox.There is no problem in sending out.
    Your advice & help to solved this is much appreciated.
    I have already reset my password & clear all filters etc etc

    • Only thing that comes to mind is anti-malware tools – they’ve been known to do this when using a desktop email program from time to time.

  27. Here’s the best way to handle the personal information questions. Don’t answer them as yourself, answer them as someone else such as your uncle, mother-in-law, a character in a book or movie or (my favorite) your imaginary friend. Of course your must never reveal who this person is to anyone.

    For questions such as elementary school for a movie or TV character, such as Tonto of the Lone Ranger, you will have to come up with a “interesting” answer such as “Hogswarts”.

    • The answer obviously does not have to relate to the actual questions can put red ,yellow and blue ..providing you can recall if your first school was blue ..or was it yellow or maybe red ?

  28. Hmm. When passwords are changed, are active logins forcibly closed by the server? If not, could a hacker not maintain a connection to the account, see that you have made changes, then change things back? Yes, he may not be able to recover your new password, but as you wrote, all data needed to once again reset the password could be changed back in his favor.

    • Changing a password should force the open session to close. This would be the case on a well designed website such as Facebook and the big name email providers. A poorly designed website might not log you off.

  29. Nice article….Good timing too.
    Just two days ago YouTube notified me that someone in Russia tried to use my account and that they denied access since it did not match the devices or locations I normaly use. They recomended that I change my password which I did. I didn’t think much about it at the time figuring “no big deal”.
    Now after reading your article I went back to my YouTube account and started looking around. What I noticed was that while I thought it not to be important at the time I found that if the “hacker” had gained access could have gotten a massive amount of information. What I search for. What I watch. Etc…..
    Now this has gotten me thinking and I deleted my search history and will go back and do mostly the same to the rest of my history’s.
    Now while there was nothing illegal with any of my activities, it may have had stuff I wouldn’t want my grandkids to know about.
    Thanks for getting me to think about it………….Alan

  30. Hazardous unexpected Cloud phenomenon:
    July 3rd wrestled with a seriously recalcitrant Trojan on a customer’s Win 8 machine, which she had purchased from Staples as a floor model. It apparently had been used by Staples as a demo for several months, including access by their customers, who screwed it up. Firefox had been installed at Staples but from a “rogue site” which infected the machine. Then, they [Staples] loaded Trend Micro plus AVG plus a couple of other “freebie” anti-malware programs, all at the same time, before deciding to unload the problem on a naive customer.

    I dug out everything and finally managed to install Vipre Internet Security which promptly caught and quarantined many copies of the same Trojan plus hundreds of adware PUPs. I ran several deep scans, only to have the Trojan get caught each time. What I finally figured out was that Microsoft Skydrive had been setup, not used by the purchaser, but the infection was hiding files in Skydrive on Microsoft cloud servers! That is beyond the reach of any anti-malware program scanning on a local machine… I uninstalled Skydrive, scanned twice more and am no longer getting “hits” for that Trojan…

    • Generally, when selling a floor model computer, the store should do a fresh reformat and install. A computer bought with malware is defective. If it’s still under warantee, your client should be able to bring it back, explain the problem and have them reinstall a fresh version of Windows. Before bringing it in, I’d recommend a full image backup to preserve any of your client’s data on the computer

    • The right solution in a case like this, IMO, is to wipe the computer and reinstall the OS from scratch. There’s simply no way to know what has been done to a floor model, and with so many people having access to it over the months it’s certain that whatever was done wasn’t good. I’d never accept a computer from anyone without the ability to install from scratch or restore it to a pristine condition.

  31. I would like to change my email – address from {email address removed} to my real e-mail address {email address removed} of the
    owner of this computer that is CHANIDA PANPATTANANON , PLS.

  32. Hi,
    It looks as if someone is sending emails from outside my email account, but they are putting my email address in the from header.
    They are not send from my mail server, and the only reason i know that once each two weeks they get send is because i get suddenly 100s of rejection notification as if I tried to send that email.
    Is this possible? Any way to get rid of this problem.

    • Here’s an article on that, but if you’ve forgotten the password, you won’t be able to close it.:

  33. Set up second-factor authentication on all accounts where you can. Then when you login from an unknown device you need to enter a number generated by an app. together with the password. Just using a password is insufficient these days.

  34. I take your recommendations for account security one step further. As part of my monthly system maintenance routines, I check that nothing has changed on either of my two email accounts, and any other important accounts too (I have a few that I check). For anyone who reads this, a few good candidates to include as important accounts could include bank, state/government, medical accounts, etc.

    I hope this helps others,

    Ernie (Oldster)

  35. Or you could have different answers everywhere – seems a bit dicey to reuse them, one account compromised means all are lost. Why not record your nonsense answers in your password manager?

  36. That’s what I do – in fact, I use my password manager to generate a new password, then put that in as the recovery question answer.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.