The moment you realize someone else is inside your email account, every second counts. An email breach is not just an inconvenience — it is the master key to your digital life, because every other account resets its password through your inbox. This plan walks you through the first hour, the first day, and the cleanup that follows, in the exact order that limits damage.

Act fast: The average attacker begins attempting password resets on banking, shopping, and social accounts within minutes of getting in. The faster you respond, the less they can steal.
Email hack response illustration
Speed matters — the first hour determines how far an attacker can reach.

Phase 1: The First 15 Minutes — Contain the Breach

Before you recover anything, you need to stop the attacker from doing more damage and from locking you out.

  1. Try to change your password immediately. If you still have access, change the password to something long and unique. This single step kicks out most attackers who haven't yet set up persistent backdoors.
  2. Sign out of all other sessions. In Gmail, scroll to the bottom of the inbox and click "Details" › "Sign out of all other web sessions." In Outlook, go to Security › "Sign me out." This invalidates the attacker's active session even if you can't change the password yet.
  3. If you can't get in at all, start account recovery. Use the provider's recovery flow — for Gmail see our guide on recovering a Gmail account without a phone number, and for Microsoft accounts see recovering a hacked Outlook.com account.
Tip: If the attacker changed your recovery phone or email, do NOT skip the recovery form. Even outdated recovery info helps the provider verify you as the true owner.

Phase 2: The First Hour — Lock Down Linked Accounts

Once you've secured (or are recovering) the email account itself, turn to every account that uses this email address as its login or recovery contact. Attackers know this is where the real value is.

Work through these in order of financial sensitivity. The goal is to make sure the attacker can't use your email to reset passwords on anything valuable.

Phase 3: Audit What the Attacker Did

Once you regain access, don't just change the password and move on. You need to understand the scope of the breach so you know what else to fix.

Hidden forwarding rules are the #1 reason hacked accounts get compromised again. Attackers add a rule that quietly forwards every incoming email — including your new password-reset confirmations — to their inbox. Always check this, even if everything else looks normal.

Phase 4: Notify and Protect Others

An email breach affects more than just you. People you correspond with may now be targets.

Phase 5: Prevent the Next Attack

Recovery without hardening guarantees a repeat. Once the immediate crisis is over, invest an afternoon in locking down your accounts properly.

  1. Move to a password manager. Stop reusing passwords across sites. A password manager generates and remembers a unique password for every account.
  2. Enable two-factor authentication on the email account and every account that supports it. Prefer an authenticator app or hardware key over SMS — see our comparison of 2FA methods.
  3. Switch to passkeys where supported. Passkeys eliminate passwords entirely, making phishing nearly impossible.
  4. Update your recovery info — a current recovery email and phone number are your safety net for next time.
  5. Generate and store backup codes so you're never locked out if you lose your 2FA device.
Pro tip: Treat your email account as the most important account you own — because it is. Every other account's "forgot password" flows through it. Securing your email secures everything else.

How Do You Know It Was the Attacker and Not a Glitch?

Not every strange login is a hack — sometimes a new device, VPN, or app triggers a legitimate security alert. Signs that point to a real compromise include: password no longer works, recovery info was changed, unfamiliar emails in your sent folder, forwarding rules you didn't create, or contacts reporting strange messages from you. If you see any combination of these, treat it as a breach and follow the full plan above.

The Bottom Line

A hacked email account is recoverable if you move quickly and methodically. Contain the breach first, then lock down linked accounts, then audit for hidden backdoors like forwarding rules, then notify the people who need to know, and finally harden everything so it doesn't happen again. The attackers who succeed are the ones who get in fast and quietly — your job is to be faster and more thorough on the way back out.