The moment you realize someone else is inside your email account, every second counts. An email breach is not just an inconvenience — it is the master key to your digital life, because every other account resets its password through your inbox. This plan walks you through the first hour, the first day, and the cleanup that follows, in the exact order that limits damage.
Phase 1: The First 15 Minutes — Contain the Breach
Before you recover anything, you need to stop the attacker from doing more damage and from locking you out.
- Try to change your password immediately. If you still have access, change the password to something long and unique. This single step kicks out most attackers who haven't yet set up persistent backdoors.
- Sign out of all other sessions. In Gmail, scroll to the bottom of the inbox and click "Details" › "Sign out of all other web sessions." In Outlook, go to Security › "Sign me out." This invalidates the attacker's active session even if you can't change the password yet.
- If you can't get in at all, start account recovery. Use the provider's recovery flow — for Gmail see our guide on recovering a Gmail account without a phone number, and for Microsoft accounts see recovering a hacked Outlook.com account.
Phase 2: The First Hour — Lock Down Linked Accounts
Once you've secured (or are recovering) the email account itself, turn to every account that uses this email address as its login or recovery contact. Attackers know this is where the real value is.
- Banking and financial accounts — log in directly (never via email links) and change the password. Enable two-factor authentication if available.
- Shopping accounts — Amazon, eBay, and any stored-payment site. Check recent orders for fraudulent purchases.
- Social media — Facebook, Instagram, X, LinkedIn. These are frequent targets for spreading scams to your contacts.
- Cloud storage — Google Drive, OneDrive, Dropbox. Check for newly shared files or downloads.
- Work accounts — if this email is linked to an employer login, notify your IT or security team immediately.
Work through these in order of financial sensitivity. The goal is to make sure the attacker can't use your email to reset passwords on anything valuable.
Phase 3: Audit What the Attacker Did
Once you regain access, don't just change the password and move on. You need to understand the scope of the breach so you know what else to fix.
- Check email forwarding and filter rules. This is the most commonly overlooked backdoor. Attackers set up auto-forwarding rules that send copies of your incoming mail (including password reset emails) to their address. In Gmail, go to Settings › "Forwarding and POP/IMAP" and Settings › "Filters and Blocked Addresses." Delete anything you didn't create. See our guide on email forwarding risks for details.
- Review recent sign-in activity. Look for unfamiliar locations, devices, or timestamps.
- Check sent and deleted items. Attackers may have sent phishing emails to your contacts or deleted evidence of password-reset requests.
- Review account recovery settings. Make sure the attacker didn't add their own recovery email or phone number.
- Check connected apps and third-party access. Revoke any OAuth tokens or app permissions you don't recognize.
Phase 4: Notify and Protect Others
An email breach affects more than just you. People you correspond with may now be targets.
- Warn close contacts — especially family and coworkers — that they may receive scam emails appearing to come from you. Tell them not to click links, send money, or share codes.
- If financial or identity data was exposed, place a fraud alert with a credit bureau and monitor bank statements for 30–90 days.
- If work email was involved, follow your organization's incident-reporting process. Many breaches spread because employees stay quiet.
- Report the breach to your email provider and to relevant authorities (such as the FTC at reportfraud.ftc.gov in the US).
Phase 5: Prevent the Next Attack
Recovery without hardening guarantees a repeat. Once the immediate crisis is over, invest an afternoon in locking down your accounts properly.
- Move to a password manager. Stop reusing passwords across sites. A password manager generates and remembers a unique password for every account.
- Enable two-factor authentication on the email account and every account that supports it. Prefer an authenticator app or hardware key over SMS — see our comparison of 2FA methods.
- Switch to passkeys where supported. Passkeys eliminate passwords entirely, making phishing nearly impossible.
- Update your recovery info — a current recovery email and phone number are your safety net for next time.
- Generate and store backup codes so you're never locked out if you lose your 2FA device.
How Do You Know It Was the Attacker and Not a Glitch?
Not every strange login is a hack — sometimes a new device, VPN, or app triggers a legitimate security alert. Signs that point to a real compromise include: password no longer works, recovery info was changed, unfamiliar emails in your sent folder, forwarding rules you didn't create, or contacts reporting strange messages from you. If you see any combination of these, treat it as a breach and follow the full plan above.
The Bottom Line
A hacked email account is recoverable if you move quickly and methodically. Contain the breach first, then lock down linked accounts, then audit for hidden backdoors like forwarding rules, then notify the people who need to know, and finally harden everything so it doesn't happen again. The attackers who succeed are the ones who get in fast and quietly — your job is to be faster and more thorough on the way back out.