What to Do When Your Email Gets Hacked

What to do when your email gets hacked

‍ ‍

Someone's in your email. Maybe your contacts are getting strange messages, maybe your password stopped working, maybe you just got a login alert from a country you've never been to.

Here's the thing almost nobody tells you, and it's the reason so many people "fix" this and get hacked again a week later:

Changing your password usually doesn't kick them out.‍ ‍

That sounds wrong. It isn't. And once you understand why, the rest of this makes sense.

Why the password isn't the problem

‍ ‍

When you log into your email, the service hands your browser a session — that's what keeps you logged in so you're not typing your password every time you check your mail. That session is issued after you log in, and it lives on its own.

So when the attacker logged in with your stolen password, they got a session too. On most services, changing your password doesn't end their session. They just stay logged in and watch you do it.

This is also why two-factor authentication didn't save you. A stolen password can be stopped by a second factor. A stolen session has already been through the second factor. There's nothing left to stop.

And that's before we get to the ways they've probably set up to come back later. More on that in a minute — it's the part that matters most.

Step 1: Get to a device you trust

‍ ‍

Do not do any of this on the computer or phone you think is compromised.‍ ‍

If there's anything nasty on that machine reading your keystrokes, then changing your password on it just hands the attacker your new one, live, while you're feeling relieved.

Use a different device. A partner's laptop, a work computer, a phone that isn't the one in question, a library machine. It doesn't have to be fancy. It has to be clean.

If you're not sure how they got in, assume the machine is the problem until you've ruled it out.

Step 2: Get back in, and lock the door

‍ ‍

From that clean device:

  1. Change your password. Long, unique, not a version of the old one.

  2. Turn on two-factor authentication if it isn't already. An authenticator app is better than text messages.

  3. Sign out of all other sessions. This is the step that actually evicts them, and it's the one people skip.

That third one has different names depending on your provider:

  • Gmail / Google: go to your Google Account → SecurityYour devices → sign out anything you don't recognize. myaccount.google.com/security

  • Outlook / Microsoft: account.microsoft.com/security → review sign-in activity and devices.

  • Apple: appleid.apple.com → your devices list → remove anything that isn't yours.

Until you do this, everything else is decoration.

Step 3: The part everyone skips — find what they left behind

‍ ‍

An attacker who's been in your mailbox knows they might get caught. So they leave themselves a way back in. This is the most important section on this page, because none of it cares that you changed your password.

Check every one of these:

Forwarding rules. The classic. They set your email to silently forward a copy of everything to an address they control. You change your password, feel safe, and they keep reading your mail forever. Gmail: Settings → Forwarding and POP/IMAP. Outlook: Settings → Mail → Forwarding.‍ ‍

Filters and rules. Sneakier. A rule that automatically deletes any email containing "password reset" or "security alert" means you never see the warnings. Some people find rules that hide entire conversations. Gmail: Settings → Filters and Blocked Addresses. Outlook: Settings → Mail → Rules.‍ ‍

App passwords. These exist so older mail programs can connect without two-factor. Which is exactly why attackers create them — an app password bypasses your 2FA entirely, and on some services it survives a password change. Delete any you don't recognize. Gmail: myaccount.google.com/apppasswords.‍ ‍

Connected apps. Anything you've ever granted access to your account. If they got you to approve something, it has standing access that doesn't care about your password. Remove anything unfamiliar — and remove the permission, not just the current connection. Gmail: Google Account → Security → "Your connections to third-party apps."‍ ‍

Your recovery email and phone number. If they changed these to an address they own, they can simply reset your password back and take the account again. Check both. This one bites people twice.

Security questions. Same idea, older mechanism. If they've been changed, change them back.

Aliases and "send mail as." These let them send email as you even after you've locked them out of the inbox. Gmail: Settings → Accounts and Import.‍ ‍

Delegated access. Gmail and Outlook can both give another account permission to read your mailbox. Almost nobody checks this one, and it's about as bad as it gets. Gmail: Settings → Accounts and Import → "Grant access to your account."‍ ‍

A password change with a forwarding rule still in place means they still have everything — and now you think you're safe. That's worse than doing nothing.

Step 4: Everything downstream

‍ ‍

Your email is the master key. Every account you own resets its password through it. So once the mailbox is genuinely yours again:

  • Anything financial — bank, PayPal, anything with a card in it

  • Anything that resets through that email — which is most things

  • Anything using the same password, or a close cousin of it

If the password on your email was used anywhere else, treat every one of those accounts as compromised. That's not being paranoid. That's how they got in, most of the time — an old breach at some site you forgot about, and the same password.

Check haveibeenpwned.com to see which breaches your address has turned up in. It's free and it's run by a well-known security researcher, not a scam.

Step 5: How do you know they're actually gone?

‍ ‍

Not by feeling better. By checking:

  • Password changed, from a clean device

  • Two-factor on

  • All other sessions signed out

  • No forwarding rules, no strange filters

  • No app passwords you didn't create

  • No connected apps you don't recognize

  • Recovery email and phone are yours

  • No delegated access, no unexpected aliases

  • Sign-in history shows only you

That list is the actual answer to "am I safe now." Anything less is hoping.

What you can't undo — and you should know this now

‍ ‍

I'd rather tell you than let you find out:

  • Anything they read, they read. Assume everything in that mailbox has been seen.

  • Anything they sent, they sent. You can warn people, but you can't unsend it.

  • If they took data, it's gone. You're closing the door, not un-taking what's already out.

  • Money that moved is the bank's problem, and it's urgent. That call happens before anything on this page.

The goal here isn't to undo it. It's to make sure today is the last day of it.

If it was someone you know

‍ ‍

One thing worth saying plainly, because it comes up more than people think.

If you suspect the person in your account is a partner, an ex, a family member, or someone with physical access to your devices — stop, and don't change anything yet. Locking them out tells them instantly that they've lost access, and that can make a bad situation dangerous. There may also be evidence that matters later.

‍ ‍

That's a different situation with different rules, and it deserves someone who does safety planning. In the US: the National Domestic Violence Hotline, 1-800-799-7233, or text START to 88788. Call from a device the person doesn't have access to.

If you'd rather not do this alone

‍ ‍

None of the above requires a professional. It requires an hour, a clean device, and the patience to check all of it instead of stopping at the password. Most people stop at the password.

But if you're staring at this list at 11pm and you just want someone to sort it out — that's what I do. I'm David Martin, I run Information Security Kentucky out of Hardin County, and a good chunk of my work is exactly this: someone got in, and you need it locked back down and you need to know they're out. No jargon, no lecture about how it happened. Reach out and we'll go through it.

And if it turns out the way they got in was something on your computer, that's a different conversation — one about whether your machine is clean and whether your files are actually recoverable. One thing at a time, though. Get the email back first.

David Martin

Information Security Kentucky LLC

Protect. Prevent. Prepare.

Hardin County, Kentucky

Next
Next

What Is Ransomware? A Plain-English Guide for Small Business Owners