Email Account Hacked? What to Do, in the Right Order
When people realize their email has been hacked, the first thing most of them do is log in to their bank. It feels like the responsible move. It’s actually the one that can make everything worse.
Here’s why. Your email isn’t just another account. It’s the recovery point for almost every other account you own. The “forgot password” link on your bank, your brokerage, your insurance, your shopping accounts, they nearly all send a reset to your email. So if an attacker still controls your inbox and you start firing off password resets to protect your bank, you aren’t locking them out. You’re handing them the keys, one reset email at a time.
I spent over 20 years building identity protection products, and the account-takeover cases that did the most damage almost always followed this pattern. The email went first. Then everything downstream fell, because the email was never fully secured before the victim went chasing the symptoms.
So the order matters more than the individual steps. Regain control of the email. Lock it down completely. Only then work outward to the accounts that depend on it. Do it in that order and you cut off the attacker’s leverage. Do it out of order and you keep feeding it.
Why Your Email Is the Master Key
This isn’t a figure of speech. Researchers who studied how account recovery actually works put hard numbers on it. In a 2018 analysis of more than 200 popular websites, over nine in ten used email as a password-reset channel, and roughly four in five could be fully taken over by someone with access to the victim’s email alone. The exact percentages have shifted since, but the structure hasn’t. Email sits underneath nearly everything.
That’s by design, and for a long time it was a convenience worth having. One address, and you could recover a forgotten password almost anywhere. The problem is the convenience runs both directions. Whoever controls the inbox controls the resets. That’s what separates a hacked email from a hacked streaming login. The streaming account is one account. Email is the master key to the rest of them.
It also explains why the usual signs of trouble are worth taking seriously. A notice that your password or recovery phone changed when you didn’t change it, a login alert from a place you’ve never been, friends saying they got messages you never sent, a sent folder that’s suddenly empty. Any one of these means someone may already be inside, and the steps below apply whether you’ve confirmed the breach or just strongly suspect it.
Step 1: Regain Control of the Email Itself
Before you change a single password anywhere else, get the email back. Everything depends on it.
If you can still log in
You’re in better shape than most. Change the password right now to something long and unique, one you’ve never used on another site. Then keep reading, because changing the password is not the same as locking the account down. An attacker who got in once may have left several ways back in, and a new password closes only one of them. Step 2 covers the rest.
If the attacker already changed the password
Go straight to your provider’s account recovery page. Google, Microsoft, Yahoo, and the rest all have one, and the FTC keeps a current list of those recovery links in its guide to recovering a hacked account. They’ll try to confirm you’re the real owner through a backup phone number, an alternate email, a previously trusted device, or security questions. Use whatever verified option you still control.
This is also the moment to be honest with yourself about how deep it goes. If the attacker has already swapped the recovery phone and backup email for their own, automated recovery may fail, and you’ll need the provider’s manual identity-verification process. It’s slower and more frustrating, but it exists. Don’t give up at the first failed attempt.
Figure out how they got in
Once you’re back in, or while you’re locked out and working from another device, deal with the entry point. If your computer or phone is compromised, resetting your password just hands the new one to the attacker the next time you type it.
Run a full malware scan on the device you normally check email from. A keylogger, which is software that quietly records what you type, is one common way these credentials leak. If the device comes back clean and you’d reused your email password on a site that was later breached, that’s a different entry point with the same fix: a unique password, which Step 2 gets to. The third common path is phishing, where you typed your password into a fake login page without realizing it. You can’t undo the moment you entered it, but securing the account properly in Step 2 makes that stolen password useless going forward.
Step 2: Lock the Email Down Before You Touch Anything Else
Regaining access is not the finish line. It’s where most people stop, and it’s exactly where the well-run attacks survive. An intruder who’s had your inbox for any length of time usually plants a few quiet ways to keep their access or get it back. Close every one of them now, in this order.
Sign out of every active session. Every major provider has a setting that shows where you’re currently signed in and lets you sign out everywhere at once. Use it. This kicks out any session the attacker still has open, including ones a password change alone won’t disturb.
Turn on two-factor authentication, and pick the right kind. Two-factor authentication means a second step beyond your password, usually a code, so a stolen password isn’t enough on its own. Where you can, use an authenticator app or a physical security key rather than text-message codes.
Why not text-message codes?
They’re far better than nothing, but text codes can be intercepted through SIM swapping, where an attacker convinces your phone carrier to move your number to a SIM card they control. It’s not common, but for the one account that unlocks all the others, an authenticator app or hardware key removes that risk entirely.
Take back your recovery options. This is the step people skip, and it’s the one that lets an attacker walk back in a week later. Open your recovery settings and check the backup phone number, the alternate email, and the security questions. If any of them aren’t yours, the attacker added them so they could trigger their own recovery later. Remove them and replace them with options only you control.
Hunt down forwarding rules and filters. This is the sneakiest backdoor of all.
Check this even if everything else looks normal.
An attacker can set a rule that silently forwards a copy of every incoming message to an address they own, or a filter that auto-deletes the security alerts your provider sends. With either one in place, they can let you change your password back, sit quietly, and keep reading your mail. Go through your forwarding settings and your filter rules line by line and delete anything you didn’t create.
Review connected apps and app passwords. Email accounts let you grant other apps access to your inbox, and that access usually survives a password change. Revoke anything you don’t recognize. If you ever created an “app password” for an older mail program, delete the ones you’re not actively using, since those bypass two-factor entirely.
Only when all of that is done is the email genuinely yours again.
Step 3: Now Work Outward to the Accounts That Depend on It
With the email secured, and only now, start on everything downstream. This is the part you wanted to do first. It works now because the attacker can no longer intercept the reset emails you’re about to generate.
Start where a takeover does the most damage. The FTC’s own guidance is to secure your most sensitive accounts first: banking, credit cards, anything financial, then the accounts tied to your identity, like tax and government logins. Change those passwords, make each one unique, and turn on two-factor authentication while you’re in there.
Then handle the quieter risk. Any account that used your email address as its username or its recovery contact is exposed too. Streaming, shopping, airline miles, a utility login. Individually they look minor. Together they hold enough personal and payment data to be worth an attacker’s time, and any one of them can be a stepping stone to something larger.
If you reused your email password anywhere, and most people have, those accounts were already exposed before this breach even happened. The prevention section below covers how to close that gap for good.
Finally, watch for fraud. Check your bank and card statements for charges you don’t recognize. If you think the attacker reached financial data or your Social Security number, treat it as potential identity theft and report it at IdentityTheft.gov, the FTC’s official recovery site, which builds you a personalized step-by-step plan. If you’re worried about someone opening new credit in your name, a credit freeze is the strongest free protection available and the single best step you can take.
How to Make This Far Less Likely Next Time
The same handful of habits that get you out of this also keep you out of it.
Use a unique password for your email that lives nowhere else. The most common way email accounts get taken over isn’t sophisticated. It’s a password you reused on some other site that got breached, then replayed against your inbox. A password manager makes unique passwords everywhere actually practical, which is why it’s the highest-leverage change most people can make.
Keep two-factor authentication on your email permanently, ideally with an authenticator app or security key. Even a stolen password gets an attacker nowhere without the second factor.
Treat your inbox like the master key it is. Be skeptical of any message asking you to log in through a link, because that’s where a lot of credential theft starts. If you’ve clicked one recently and aren’t sure what happened next, our guide to what to do after you clicked a phishing link walks through it.
Check your email’s settings now and then, before there’s a problem. A quick look at active sessions, recovery options, and forwarding rules every few months will surface anything off long before it turns into a recovery situation.
The Honest Bottom Line
A hacked email feels like an emergency, and the panic pushes you toward the wrong move: rushing to protect your bank while the attacker still owns the inbox every reset routes through. The fix isn’t more urgency. It’s order. Regain the email, lock it down completely, then work outward. Done in that sequence, you take away the attacker’s leverage instead of feeding it.
Most of the damage in these cases comes from acting in the wrong order, not from acting too slowly. Take the extra twenty minutes to secure the email all the way before you move on. That’s the difference between an afternoon of cleanup and a problem that keeps reopening for weeks.
If this started with a link you clicked, the guide to a clicked phishing link covers what that click does and doesn’t do. And if you want the one habit that prevents most of this from happening again, start with a password manager.
Tom Reardon spent over 20 years in product and operations at major identity protection providers. He writes at MyScamGuide.com to give consumers the honest picture the industry’s marketing never did.
Recommended resources:
- How To Recover Your Hacked Email or Social Media Account: FTC guidance with direct recovery links for major providers
- IdentityTheft.gov: the FTC’s official recovery resource with personalized plans
- Protect Your Personal Information From Hackers and Scammers: FTC overview of passwords, two-factor authentication, and device security