How To Recover a Hacked Email Account
Step-by-step guide to regaining access to a hacked email, securing it, and checking what the attacker may have accessed.
Last reviewed: 1 June 2026
First 10 minutes
- Go to your email provider's official account recovery page and start the process
- If you still have access, change your password immediately to a strong unique one
- Check your account for forwarding rules, filters, and connected apps you do not recognise
- Check your 'Sent' folder for emails the attacker may have sent in your name
- Check account settings for a changed recovery phone number or email
First 24 hours
- Enable strong app-based two-factor authentication once access is restored
- Change passwords on any accounts that use the same password or that were accessible via this email
- Notify contacts that your email was compromised if you believe phishing or fraud emails were sent
Contact your bank or payment provider
- If your banking notifications go to this email, alert your bank about the potential compromise
- Ask your bank to add a note to your account flagging potential social engineering attempts
- Review recent bank transaction emails for any requests or confirmations you do not recognise
Evidence to preserve
- Check your email provider's sign-in history for unfamiliar locations and devices
- Note the dates and times of suspicious access
- Screenshot any forwarding rules or filters that were added
Secure your accounts and devices
- Revoke access for any third-party apps connected to the hacked account
- Enable two-factor authentication and update your recovery phone number
- Review all accounts where password resets go to this email address
Report it
- Report to your national fraud/cybercrime service
- Report to the platform, bank, or provider involved
- Keep any reference numbers you're given
Email is the master key to most online accounts, because almost everything can be reset via email. When an attacker has access to your inbox, they can trigger password resets on banking, shopping, and social media accounts silently. Regaining control quickly and checking what they accessed is the most important step.
Once access is restored, set up an authenticator app for two-factor authentication rather than SMS codes, which can be intercepted via SIM-swap. A password manager with a unique password for every site removes the biggest single risk — password reuse.
Frequently asked questions
What if I can no longer access the recovery phone number?
Use your email provider's identity verification process. Google, Microsoft, and others have step-by-step account recovery flows that verify identity through backup codes, trusted devices, or document verification.