Has Your Email Been Hacked? Here’s How to Check and What to Do Next

One study found that a breached inbox can let attackers reset other services within hours, often without obvious signs.

You’ll learn quick, practical checks you can run right now. First, look for strange sent messages, unfamiliar sign-ins, or settings that changed. Then confirm details in your provider’s security dashboard and lock the account down fast.

This guide helps both personal and work inboxes. If you use a business account, loop in IT so the threat doesn’t spread across systems.

Expect to review recent sign-ins, sent mail you didn’t send, password reset activity, connected apps, forwarding rules, filters, and active sessions. Your goal is simple: contain the intruder, recover access, then clean devices and linked accounts so problems don’t return.

You don’t need advanced tech skills — just careful steps and attention. If you’re locked out, the article will cover recovery options and steps to protect your identity and other accounts after you regain control.

Why a hacked email account is a big deal right now

If an outsider can read your messages, they can trigger resets and seize connected services in minutes. That single access often acts as a master key for other services you use every day.

Your inbox as the master key

Password reset links and recovery messages land in the mailbox. Anyone who reads them can change credentials, lock you out, and claim accounts that share the same address.

What can ripple from one compromise

A single breached account can cascade into multiple affected accounts — banking, cloud storage, shopping, and work tools. Attackers search old messages for statements, IDs, invoices, and other sensitive information.

• Identity theft: stolen details used to open lines of credit or file false claims.
• Money loss: fraudsters trigger resets, make transfers, or run gift-card schemes.
• Social media takeover: logins reset using your inbox, then impersonation spreads to contacts.
• Recovery obstacles: if recovery email or phone is changed, reversing control gets much harder.

Act quickly and calmly. Early action can cut off access, limit damage, and speed recovery of affected accounts.

Quick signs your email may be hacked

Small, odd changes in sent messages are often the first clue that someone else has control of an account.

Unfamiliar sent messages or outgoing mail

Look in Sent and Outbox first. Attackers often use your address to send phishing messages to people who trust you.

These messages may read generic, ask for money, include strange attachments, or contain suspicious links.

Security alerts and odd sign-ins

Check login notifications from your provider. Alerts usually show location, IP, and device details.

“Impossible travel” alerts — sign-ins from distant cities within hours — are a red flag.

Unexpected reset or verification prompts

Any password reset emails or verification codes you didn’t request mean credentials may be exposed or tested.

Reports from contacts and missing mail

If friends or coworkers report odd messages, treat that as evidence of compromise.

Also watch for missing or deleted emails; attackers sometimes remove alerts to delay your response.

• Document time, subject lines, and folders affected so you can act and report details if needed.
• Prioritize Sent/Outbox, recent security alerts, and recovery messages when investigating access.
• Keep a short record for follow-up with support or IT.

How to check if your email has been hacked in your provider’s security settings

Open your provider’s security dashboard and scan recent activity for anything that looks unfamiliar.

Review recent sign-in activity by device, browser, and location

Most major email providers label this area “Recent activity” or “Devices.” Look for unknown browsers, strange cities, or odd IP addresses. Note timestamps and any repeated failed attempts. If you see a login you don’t recognize, assume credentials were exposed and move to containment steps.

Look for unexpected account changes

Check profile fields for altered display names, profile photos, and the account address shown to others. Also review password change history and any added secondary usernames. Attackers sometimes tweak visible info to impersonate you.

Confirm recovery options and security questions

Verify that your recovery email and phone number are correct and still in your control. Review security questions where available. If any recovery detail was swapped, reclaim it immediately and document the change.

Audit connected apps and third-party access (OAuth)

Check “Connected apps” or “Third‑party access.” Revoke permissions for anything unfamiliar. OAuth tokens can keep access even after you change passwords, so remove unnecessary apps and reauthorize only trusted services. After cleaning these items, enable two‑factor authentication for stronger protection.

Check your inbox rules, forwarding, and filters for hidden access

Invisible inbox rules are a favorite trick for people who want to keep access and erase traces.

Attackers set forwarding and filters so messages vanish or reroute to other addresses. That allows ongoing access even after you change a password.

Find and remove auto‑forwarding

Look for any forwarding to unfamiliar addresses. Watch for rules that forward only certain senders or keywords like invoice or password.

Delete suspicious filters that hide alerts

Remove rules that auto‑delete, archive, mark as read, or move security messages. Those rules often conceal reset links and alerts.

Inspect signature and reply‑to settings

Verify the reply‑to address and signature text. Attackers sometimes redirect replies while leaving the visible From address unchanged.

• Scan forwarding lists and remove unknown addresses immediately.
• Remove rules that target security messages or recovery mail.
• After cleanup, reset credentials and then recheck for any reappearing rules — a sign of lingering access.

What to do immediately if you think hackers have access

If someone else may have access, treat the account as compromised and act from a safe device. Start containment before attackers use linked services.

Reset passwords from a trusted device

Change the main password right away while on a secure machine. Pick a long, unique passphrase that you never reuse.

Consider a password manager to generate and store strong values so you need not memorize them.

Sign out of all devices and end active sessions

Terminate every active session so any intruder is removed. Check connected apps and revoke tokens that look unfamiliar.

Enable two‑factor authentication with an authenticator app

Prefer app‑based authentication over SMS. It cuts risk from SIM swaps and interception.

Decline unexpected MFA prompts and watch for push fatigue

Do not approve repeated prompts you did not start. If prompts continue, deny them and reset the password again from the safe device.

Do not click links in strange alerts. Open the provider directly in a trusted browser. If you cannot complete these steps because access is blocked, follow the recovery process next.

If you’re locked out of your email account

If you cannot sign in, start with the provider’s official recovery flow. Use in‑product recovery links or the provider help pages only. Scammers often mimic support pages to steal more information, so stick to verified pages.

Use your provider’s official account recovery process

Open the recovery form and follow each prompt. Expect identity checks, device recognition prompts, backup codes, and verification by a recovery phone or email. These steps help confirm you are the legitimate owner.

What to do when recovery information changed or you can’t receive codes

If recovery details were swapped, you may need extra proofs and more time. Submit any requested documents and answer account questions honestly. Start this process right away; delays let attackers entrench.

When to involve workplace IT or your security team

For business accounts, escalate immediately. IT or your security team can review logs, revoke sessions, remove risky rules, and warn coworkers about spoofed messages.

• Use only official recovery paths; do not share codes with callers.
• While you wait, warn key contacts via another channel and change critical passwords elsewhere.
• If access account recovery stalls, involve support and IT for extra verification and containment.

Secure your devices and remove malware that may have caused the breach

Start by cleaning every machine and mobile you use for mail; lingering threats on a single device can undo all other fixes.

Update, scan, remove, restart

Update your operating system and any security tools first. Run a full scan with a trusted antivirus and let it quarantine or remove suspicious programs.

After deletion, restart the system and run a second scan. Repeat until scans return clean results.

Include phones and tablets

Mobile compromise is common through phishing links and malicious attachments. Check apps, remove unknown installs, and scan with mobile security tools.

Prevent repeat compromises

Keyloggers and fake login pages can capture new credentials and other data. Avoid public Wi‑Fi when signing in, use a VPN on untrusted networks, and never open unknown links.

• Why cleanup matters: malware like keyloggers records keystrokes and credentials.
• Simple sequence: update OS and security, full scan, quarantine/delete, restart, re‑scan.
• Check every device you use for email so threats cannot replay logins.

Protect your identity and connected accounts after you regain access

Regaining access is only the start; you must follow an ordered plan to protect identity and all services tied to that address. Move deliberately and document each step.

Change passwords on key accounts that rely on your email address

Start with the email account, then update passwords for banking, payment apps, cloud storage, and primary social media. Use unique passphrases and a password manager.

Watch for suspicious activity on financial accounts and sensitive services

Monitor recent logins, pending transfers, and statements for unusual charges. Keep alerts enabled and review data access logs where available for at least a few weeks.

Tell your contacts what happened so they don’t click links or send money

Notify friends, coworkers, and key contacts by a different channel. Ask them to ignore links, attachments, and payment requests that arrived from the compromised address.

Document what you saw and what you changed for follow-up and support

Record timestamps, suspicious IPs, altered forwarding rules, and each security action you took. This log aids support teams, workplace security, and any fraud claims.

Consider dark web exposure and credential reuse risk

If you reused passwords or used the same email on older breached sites, assume those credentials may appear on the dark web. Replace reused passwords and review connected apps, revoking anything unfamiliar.

• Prioritize accounts: banking, payment apps, social media, cloud, workplace tools.
• Order for changes: email first, then sensitive accounts, then lower-risk subscriptions.
• Keep a short contact script: “I was compromised. Don’t open links or send money from messages sent by me.”

Conclusion

Containment starts with firm choices: change passwords, sign out of active sessions, enable MFA, and remove strange forwarding rules and apps. These steps cut attacker reach and halt replay of stolen credentials.

When an email account looks compromised, review provider activity, lock access, and audit connected apps and filters. Focused action and short checks yield the fastest impact on security and recovery.

A hacked email is often a launchpad for wider account takeover. Keep monitoring sign‑ins, watch for reset attempts, and document what you changed during recovery.

Stay calm and methodical. With steady steps you can restore control, secure the rest of your accounts, and reduce the chance of repeat incidents. Reach out to support or IT if needed while you rebuild access email control.