Getting your email hacked is serious because your inbox is the recovery mechanism for everything else. Here’s what to do in the right order — both to stop the damage and to make sure it doesn’t happen again.
Step 1: Regain access
If you’re locked out, use the account recovery option your provider offers — usually a backup email address, a phone number, or recovery codes. For Gmail, go to accounts.google.com/signin/recovery. For Outlook, go to account.live.com/password/reset.
If you set up recovery options in advance, this takes a few minutes. If you didn’t — and many people haven’t — it can take days of back-and-forth with the provider’s support team, and success isn’t guaranteed. One of the most practical things you can do today, before anything happens, is make sure your recovery options are up to date.
Step 2: Change your password immediately
Once you’re back in, change your email password to something strong and unique — a randomly generated string from a password manager, not a variation of something you’ve used before. The attacker likely still has your old credentials and will use them again.
Check for any active sessions you don’t recognize. In Gmail: click your profile photo → Manage your Google Account → Security → Your devices. In Outlook: account.live.com → Security → Review activity. Sign out any sessions you don’t recognize.
Step 3: Enable two-factor authentication
If you didn’t have 2FA enabled before, this is why you’re reading this. Turn it on now. Use an authenticator app (Google Authenticator, Authy, or the one built into your password manager) rather than SMS — SMS codes can be intercepted through SIM swapping.
In Gmail: go to myaccount.google.com → Security → 2-Step Verification. In Outlook: account.live.com → Security → Advanced security options. The setup takes about three minutes.
Step 4: Check what the attacker did
Look at your sent folder for emails sent from your account. Attackers often use compromised email to run phishing campaigns or reset passwords on linked accounts. If they sent anything, you need to warn the recipients.
Check your account settings for changes: forwarding rules, auto-reply settings, and filter rules. A common attack is to set up a forwarding rule so copies of all your incoming email go to the attacker even after you’ve changed your password. In Gmail: Settings → See all settings → Filters and Blocked Addresses, and → Forwarding and POP/IMAP. Delete anything you didn’t set up yourself.
Step 5: Audit connected accounts
Your email is used to reset passwords for every other account you own. Check which of those accounts had password reset emails sent recently — those may have been compromised too. Start with banking, financial accounts, and anything with a payment method attached.
Change passwords on any account where you used the same password as your email — if they got your email password through a breach, they’ll try it everywhere else. A password manager makes this systematic: you can see which accounts share passwords and update them one by one.
How this happens — and how to prevent it
Email accounts get compromised through a few main routes: password reuse (your email password was exposed in a breach of a different site), phishing (you clicked a fake login page), or weak password plus no 2FA (brute forced or guessed).
The prevention checklist: use a unique, randomly generated password for your email (managed in a password manager). Enable 2FA with an authenticator app. Set up recovery options now. Never enter your email password on a page you reached by clicking a link in an email — go directly to the site instead.
The bottom line
Move quickly when your email gets compromised — every hour it’s in someone else’s hands is time for more damage. The steps above, in order: regain access, change password, enable 2FA, audit for forwarding rules and sent messages, then check connected accounts. And once it’s resolved, make sure the recovery options are set up so you can get back in fast if it happens again.