What to Do If Your Email Was Hacked: Recovery Steps, Evidence, and Account Security Checks

Overview

What you will get here is a recovery playbook in plain language: immediate actions, scenario-based checklists, evidence to save, and the account settings people often miss after an email account compromise.

Email is often the center of account recovery for everything else. If an attacker controls your mailbox, they may be able to reset passwords for banking, cloud storage, work applications, shopping sites, payroll systems, developer tools, and social accounts. That is why an email account compromised event can quickly turn into an identity theft warning, a business email compromise problem, or a broader privacy alert.

Use this order of operations:

1. Contain the account by changing credentials or starting the provider recovery process.
2. Remove attacker persistence such as forwarding rules, delegated access, trusted devices, recovery details, and app passwords.
3. Preserve evidence before logs disappear or settings get overwritten.
4. Check downstream exposure including password resets, financial accounts, and internal business systems.
5. Notify affected contacts if the mailbox was used for phishing, invoice fraud, or impersonation.

There is no single sign that proves a hack. Common warning signs include:

• Password no longer works even though you did not change it.
• Unexpected password reset emails or login alerts.
• Sent mail you did not write.
• Inbox rules that auto-delete, archive, or forward messages.
• Recovery phone number or backup email changed.
• New devices or sessions listed in account activity.
• Contacts receiving phishing messages from you.
• MFA prompts you did not initiate.

If the attack started with a fake message, it is worth reviewing current phishing patterns and impersonation tactics in Phishing Scam Alerts: New Email, Text, and QR Code Scams to Watch and, if SMS played a role, How to Tell if a Text Message Is a Scam.

Checklist by scenario

This section gives you a reusable checklist by situation so you can act without skipping the less obvious steps.

Scenario 1: You still have access to the email account

1. Change the email password immediately. Use a unique password that is not reused anywhere else. If you use a password manager, generate a new random password.
2. Turn on or reset multi-factor authentication. Prefer an authenticator app, passkey, or hardware key where available. If MFA was already enabled, review whether the attacker added their own device or backup method.
3. Sign out of all sessions. Most providers offer a way to log out other devices or revoke active sessions. Use it.
4. Review account activity. Check recent sign-ins, IP locations if shown, device history, and security events. Save screenshots.
5. Check mailbox rules and filters. Look for forwarding, hidden rules, archive/delete rules, and keyword filters meant to hide bank alerts, invoices, or provider security notifications.
6. Check forwarding and delegated access. Remove any forwarding address you do not recognize. Review mailbox delegation, linked accounts, or account sharing features.
7. Check recovery options. Make sure recovery email, recovery phone number, trusted contacts, and backup codes belong to you.
8. Review connected apps. Remove suspicious OAuth grants, IMAP/POP clients, app passwords, and third-party mail tools you no longer use.
9. Search sent, trash, draft, and spam folders. Attackers often leave clues in these folders or use drafts for internal fraud staging.
10. Secure other important accounts. Change passwords for banking, payroll, cloud storage, work accounts, marketplaces, developer tools, and any service that can be reset through that mailbox.
11. Warn contacts if needed. If the attacker sent messages from your account, tell recipients not to click links, open attachments, or trust payment requests sent during the compromise window.

Scenario 2: You are locked out of the email account

1. Start the provider's official account recovery flow. Go directly to the provider website or app, not to links in messages. Avoid sponsored search results if you are unsure.
2. Use a device and network you have used before. Recovery systems sometimes score familiarity. Using a known browser or home network may help.
3. Document the lockout. Capture screenshots of error messages, password reset notices, recovery detail changes, and any suspicious texts or emails.
4. Check whether recovery details were altered. If the backup email or phone number has changed, note the date and any confirmation messages you still have.
5. Secure your device before retrying. If malware or a browser compromise may be involved, scan the device, update the OS and browser, and sign in from a clean device if possible.
6. Freeze downstream risk. Start changing passwords on important accounts linked to that email address. Begin with financial services, employer accounts, cloud storage, and password manager access.
7. Tell your employer or IT team quickly if it is a work account. A work mailbox can expose internal systems, customer conversations, and invoice workflows. Early notice matters.
8. Escalate account misuse. If contacts are being phished, payroll details changed, or payment requests sent, warn stakeholders immediately and activate internal incident response.

Scenario 3: It is a work or admin mailbox

A shared inbox, finance mailbox, administrator mailbox, founder mailbox, or support inbox deserves a broader response. Treat it as a business incident, not just a password reset event.

1. Disable or restrict the account if necessary. Temporary suspension may be safer than leaving a compromised mailbox active.
2. Preserve logs. Export mailbox audit logs, sign-in history, message trace, and admin console events before retention windows expire.
3. Check for lateral movement. Review SSO logs, VPN activity, cloud admin roles, password reset events, and suspicious changes in collaboration tools.
4. Review impersonation risk. Search for fake invoices, vendor banking changes, payroll diversion attempts, and customer support fraud.
5. Inspect mail flow controls. Look for transport rules, connector changes, mailbox permissions, and forwarding set at both the user and admin level.
6. Assess notification obligations. Depending on what data was accessible, legal, compliance, and communications teams may need to evaluate whether breach notification is required. For background, see Breach Notification Laws by State.
7. Reset related secrets. If the mailbox received system alerts, one-time links, API notices, or admin approvals, review whether infrastructure credentials or sensitive workflows were exposed.

Scenario 4: You suspect the compromise started with credential reuse

If the same password was used elsewhere, the problem may be larger than email alone. A credential stuffing attack can turn one reused password into multiple account takeovers.

1. Change every reused password. Start with banking, primary cloud services, work accounts, shopping sites, and anything storing card data or personal records.
2. Enable MFA broadly. Email is only one piece; your priority is reducing the attacker's ability to pivot.
3. Check for breach exposure. If the compromise followed a public data leak notice or breach notification, review the exposed data type and update affected credentials accordingly. The Data Breach Tracker can help frame what customers should do after an incident.
4. Consider a credit freeze if sensitive identity data was also exposed. Email compromise alone does not always require it, but if your SSN, driver's license, or financial account data may be involved, review Credit Freeze Guide After a Breach.

What to double-check

These are the settings and traces that people often miss. If you want to securely recover a hacked email account, this section matters as much as changing the password.

• Inbox rules created to hide evidence. Search for rules affecting words like invoice, bank, wire, payment, security, reset, crypto, payroll, admin, or MFA.
• External forwarding. Attackers often auto-forward messages to a lookalike address.
• Delegated mailbox access. In business environments, a mailbox may stay exposed through permissions even after the password changes.
• OAuth app grants. If you clicked a consent screen rather than entering a password, the attacker may retain access through a token until it is revoked.
• App passwords and legacy protocols. Older IMAP/POP or app-specific passwords can survive ordinary password changes in some ecosystems.
• Recovery phone and backup email. If these are wrong, the attacker can take the account back later.
• Trusted devices and remembered browsers. Remove devices you do not recognize.
• Signature and display name changes. Some attackers alter signatures to stage invoice fraud or add malicious links.
• Trash and archived folders. Evidence may be hidden there, especially security notices or bounced phishing attempts.
• Password manager access. If your mailbox can reset your password manager, secure that account immediately.

Also preserve evidence with intent. Useful items include:

• Dates and times of suspicious activity.
• Provider security alerts and login notices.
• Screenshots of changed settings.
• Copies of suspicious emails with full headers if available.
• Lists of affected contacts or systems.
• Audit logs, sign-in history, and admin actions for work accounts.

Evidence helps with provider recovery, internal incident handling, fraud disputes, and any required disclosure decisions. Do not obsess over perfect forensics before containment, but do save what you reasonably can.

Common mistakes

This section highlights the errors that most often turn an email compromise into a longer incident.

1. Changing the password but not checking forwarding rules. This is one of the most common misses. Attackers may keep seeing your mail after the password change.
2. Assuming MFA means the account is safe. MFA reduces risk, but it does not rule out consent phishing, session theft, prompt fatigue, or stolen backup codes.
3. Only securing the email account. If password resets were triggered elsewhere, the attacker may already have access to other services.
4. Ignoring sent messages. An attacker may have already contacted customers, vendors, or coworkers. Delay increases fraud risk and reputational damage.
5. Recovering the account on an unsafe device. If malware, malicious extensions, or browser compromise caused the issue, logging back in from the same environment can undo your work.
6. Not documenting the timeline. Even a simple timeline helps: first alert, last known good access, recovery actions, suspicious messages sent, and affected systems.
7. Using links in warning messages. Some fake security alerts are part of the attack. Navigate directly to the provider instead.
8. For business mailboxes, treating it as a user support ticket only. A compromised finance or executive inbox can become a business email compromise event with legal, financial, and customer impact.

If the compromise overlaps with extortion, encryption, or wider system disruption, it may point to a bigger incident. In that case, a broader view of active ransomware patterns can be useful; see the Ransomware Incident Tracker for context.

When to revisit

Use this final section as a maintenance checklist. Email account takeover recovery is not done the moment you regain access. Revisit the account whenever workflows change, before seasonal planning cycles, and after any new suspicious activity.

Set a follow-up schedule:

• Within 24 hours: Recheck sign-in history, forwarding rules, delegated access, and app connections.
• Within 7 days: Review other accounts tied to the mailbox, especially financial, payroll, cloud, and developer platforms.
• Within 30 days: Confirm contacts are no longer receiving scams from your address and verify no new recovery changes were made.
• At each major workflow change: If you add a new password manager, migrate providers, enable SSO, change phones, or onboard a new mail client, review your account security posture again.
• Before high-risk seasons: Tax periods, holiday shopping seasons, year-end finance workflows, and travel periods tend to increase fraud attempts and social engineering pressure.

A practical recurring checklist looks like this:

1. Verify password uniqueness and MFA method.
2. Review recovery phone, backup email, and backup codes.
3. Audit forwarding rules, filters, and delegated access.
4. Remove unused apps, old mail clients, and unnecessary app passwords.
5. Check recent sign-ins and trusted devices.
6. Test your incident plan: who to notify, what evidence to save, and how to warn contacts fast.

If you manage email for a team, turn this article into a runbook. Keep screenshots of where your provider stores sign-in history, active sessions, forwarding settings, admin audit logs, and OAuth grants. The exact menus may change, but the recovery logic stays the same: contain, remove persistence, preserve evidence, check downstream accounts, and communicate clearly.

The main reason to revisit this topic is simple: providers change interfaces, attackers change methods, and your own tools change over time. A current checklist helps you act faster when minutes matter. If you are asking, “email hacked what to do,” the best answer is to follow a repeatable process rather than improvising under stress.