Short answer
What to know first
Practical first steps for securing a hacked email account, checking recovery paths, removing hidden access, and deciding when the situation becomes a business incident.
First 15 minutes
Start by assuming the email account is still important even if the attacker seems gone. Email is often the recovery path for banking, cloud storage, social media, payroll, domains, shopping accounts, and business tools.
Use a clean device if possible. If your main computer or phone is acting strangely, move to a trusted device before changing passwords or recovery settings.
- Change the email password from a trusted device.
- Check recovery email addresses and phone numbers before you relax.
- Look for forwarding rules, filters, connected apps, and unknown sessions.
- Turn on MFA or passkeys after you remove unknown access.
- If business payments, payroll, customer data, or admin accounts are involved, treat the situation as higher urgency.
Change the password safely
Use a new password that is not reused anywhere else. A password manager makes this easier because it can create and store a long unique password without forcing you to memorize it.
Do not change every account from the same possibly compromised session. Fix the email account first, then move through the accounts that use that email for password resets.
Check recovery email, phone, and backup methods
A password change is not enough if the attacker added a recovery email, changed a phone number, saved backup codes, or left another way back into the account.
Review the account security page carefully. Remove recovery methods you do not recognize. Confirm that backup codes are regenerated or replaced if they may have been exposed.
- Recovery email addresses
- Recovery phone numbers
- Backup codes
- Trusted devices
- Passkeys or security keys
- Delegated mailbox access
Review forwarding rules and mailbox filters
Attackers sometimes create rules that hide messages, forward mail to another address, or move security alerts out of view. That can let the account look normal while important messages disappear.
Check forwarding, filters, inbox rules, blocked senders, auto-delete rules, signatures, vacation responders, and delegated access. If this is a business mailbox, also check admin-level rules if you have access.
Sign out other sessions and review connected apps
Most major email platforms let you review active sessions, devices, and third-party applications. Sign out sessions you do not recognize, remove connected apps you do not use, and watch for old devices that should no longer have access.
After that cleanup, enable strong MFA or passkeys. MFA should not rely only on a phone number if the account is especially important.
Warn contacts if needed
If suspicious messages were sent, tell affected contacts plainly and quickly. Keep it calm: your account was accessed, they should ignore unusual messages or links, and they should verify payment or document requests through a known channel.
For businesses, review invoice, payroll, payment-change, and vendor workflows. A compromised inbox can be used to change payment instructions or gather context for a later fraud attempt.
When this becomes an incident
A hacked email account becomes more serious when it touches customer data, money movement, payroll, legal records, regulated information, domain administration, executive accounts, or shared business systems.
The goal is not panic. The goal is to preserve facts, secure access, understand what the account could reach, and decide whether legal, insurance, IT, platform, banking, or incident-response help is needed.
FAQ
Should I delete the hacked email account?
Usually not as a first move. Secure it, preserve useful evidence, check recovery paths, and understand what else depends on that email before deleting anything.
Can 402InfoSec recover my Gmail or Yahoo account?
402InfoSec can provide practical guidance, lockout planning, and account-hardening help, but platform recovery outcomes depend on the provider and the specific situation.
What if the hacked email is used for business invoices?
Treat that as higher urgency. Review payment-change messages, vendor instructions, payroll, bank communications, and any accounts that use that mailbox for password resets.
Should I send screenshots through the contact form?
No. Keep the first inquiry lightweight. If the fit looks right, a safer way to exchange sensitive details can be agreed.
Sources and Notes
These references support the practical guidance above. They do not guarantee platform recovery, legal outcomes, or emergency response availability.
- FTC: Hacked Email and Social Media Accounts Consumer guidance for account recovery, password changes, and warning contacts.
- FTC Data Breach Response Guide for Business Business guidance for preparing and responding when sensitive information may be involved.