Your email got hacked. Here's how to take it back.

Email is the master key to your digital life. Password resets, bank notifications, 2FA codes—it all flows through email. If someone's in your inbox, they can get everywhere else. Time to lock them out.

Why this is serious

Your email is the skeleton key to everything. Attackers use it to reset passwords on your bank, social media, shopping accounts—anything with a "forgot password" link. Even after you change your password, they may have set up forwarding rules that silently send copies of your emails to themselves. We need to close every door.

Signs your email was compromised

Obvious signs

  • Password stopped working
  • Recovery email/phone changed
  • Friends got spam "from you"
  • Unfamiliar devices in login history
  • Emails deleted or missing

Subtle signs

  • Password reset emails you didn't request
  • New email rules you didn't create
  • "Read" emails you never opened
  • Emails in Sent folder you didn't write
  • Unfamiliar connected apps

Phase 1: Stop the Bleeding

Do these immediately. Every minute counts.

1

Scan your device first

10 min Easy

Before changing passwords, make sure your device isn't compromised. If there's a keylogger, they'll just capture your new password.

  • Run a full antivirus/malware scan
  • On Mac: Check System Settings → Privacy → Full Disk Access for suspicious apps
  • On Windows: Run Windows Defender full scan
  • Consider using a different, known-clean device for recovery
2

Regain access to your account

10-30 min Moderate

If you still have access, change your password immediately. If locked out, use account recovery.

Gmail Recovery Outlook/Hotmail Recovery iCloud Recovery Yahoo Recovery

Tip: Use a familiar device and network. Email providers use this to verify it's really you.

3

Sign out all other sessions

2 min Easy

Kick the attacker out of every device they're logged into. Most email providers have a "sign out everywhere" option.

Google: Manage Devices Microsoft: Recent Activity Apple: Manage Devices
4

Enable two-factor authentication

5 min Easy

Add 2FA immediately so a password alone isn't enough. Use an authenticator app, not SMS—attackers can intercept text messages.

  • Google Authenticator, Authy, or Microsoft Authenticator
  • Better yet: hardware key like YubiKey
  • Save backup codes somewhere safe (not in email)

Phase 2: Remove Attacker Persistence

Changing your password isn't enough. Attackers set up backdoors to maintain access.

The hidden threat: email forwarding rules

The FBI has warned that attackers create email forwarding rules to maintain access even after you change your password. All your incoming mail silently gets copied to their inbox. In one case, this led to $175,000 in fraud. Check for this NOW.
5

Check email forwarding rules

5 min Easy

This is critical. Look for any rules that forward, redirect, or auto-delete emails—especially ones targeting keywords like "bank," "password," or "invoice."

Where to check:

  • Gmail: Settings → See all settings → Filters and Blocked Addresses. Also check Forwarding and POP/IMAP tab.
  • Outlook: Settings → Mail → Rules. Also check Forwarding settings.
  • Yahoo: Settings → More Settings → Mailboxes → Check forwarding address

Red flags: Rules with vague names (., .., or single letters), rules forwarding to unknown addresses, rules deleting emails containing financial terms.

6

Review connected apps and permissions

5 min Easy

Attackers may have authorized malicious apps to access your email. Revoke anything you don't recognize.

Google: Connected Apps Microsoft: App Permissions Apple: Sign in with Apple
7

Remove app passwords

3 min Easy

App passwords let older apps bypass 2FA. If any exist that you didn't create, an attacker has a backdoor.

Google: App Passwords
8

Check recovery options

3 min Easy

Make sure your recovery email and phone number belong to you. Attackers change these to lock you out permanently.

Phase 3: Assess the Damage

Figure out what else they accessed and lock it down.

9

Check your Sent folder

5 min Easy

Did they send emails as you? Attackers often send phishing emails to your contacts or request wire transfers from your employer.

If they sent emails: Warn your contacts. Report to your IT department if work-related.

10

Search for password reset emails

10 min Easy

Search your email for "password reset" or "verify your account." This shows what other accounts they may have compromised.

Make a list of every account that received a reset email. You'll need to secure each one.

11

Check your trash and spam folders

5 min Easy

Attackers often delete evidence. Look for password reset confirmations, security alerts, or bank notifications they tried to hide.

Phase 4: Secure Connected Accounts

Change passwords on everything important. Start with money, end with social.

12

Financial accounts first

30 min Moderate

These are the highest-value targets. Check for unauthorized transactions while you're in there.

  • Bank accounts (checking, savings)
  • Credit cards
  • Investment accounts (401k, brokerage)
  • PayPal, Venmo, Cash App
  • Cryptocurrency exchanges

Report fraud within 48 hours

If you report unauthorized bank transactions within 48 hours, your liability is capped at $50. Wait longer, and you could lose everything. Call your bank immediately if you see anything suspicious.
13

Shopping and subscription accounts

20 min Easy

These often have saved payment methods. Change passwords and review recent orders.

  • Amazon, eBay, online retailers
  • Streaming services (Netflix, Spotify)
  • Food delivery (DoorDash, Uber Eats)
  • Any site with saved credit cards
14

Social media and communication

15 min Easy

Attackers use these to impersonate you or gather info for further attacks.

  • Facebook, Instagram, Twitter/X, LinkedIn
  • WhatsApp, Telegram, Signal
  • Dating apps
15

Work and professional accounts

15 min Easy

Alert your IT department. They may need to check for broader compromise.

  • Work email and systems
  • GitHub, GitLab, Bitbucket
  • Cloud services (AWS, Google Cloud, Azure)
  • Professional tools (Slack, Notion, Figma)

Phase 5: Protect Your Identity

If they had access to sensitive info, take these additional steps.

16

Freeze your credit

30 min Easy

If your email contained SSN, financial statements, or tax documents, freeze your credit immediately.

Equifax Experian TransUnion

See our detailed credit freeze guide.

17

Freeze ChexSystems

10 min Easy

Prevents attackers from opening bank accounts in your name.

ChexSystems Freeze
18

Report the incident

15 min Easy

Create an official record and get a personalized recovery plan.

IdentityTheft.gov (FTC) IC3 (FBI Cyber Crime)

How did this happen?

Understanding how you got hacked helps prevent it from happening again. Common methods:

Password spray attack

Attackers try common passwords against many accounts. If your password was "Summer2024!" or similar, this is probably how.

Credential stuffing

Your password leaked in another breach and you reused it. Check Have I Been Pwned .

Phishing

You entered your password on a fake login page. Check your browser history for suspicious URLs.

Malware

A keylogger or info-stealer captured your password. That's why we scan your device first.

Prevention going forward

  • Use a password manager—never reuse passwords
  • Enable 2FA on everything (authenticator app, not SMS)
  • Use a unique, complex password for your email (it's the master key)
  • Be suspicious of login pages—check the URL carefully
  • Consider a hardware security key for your most important accounts
Credit Freeze Guide Additional Protections