Recovery guide

Recover a Hacked Email Account

Regain access to your compromised email and prevent the attacker using it to take over other accounts.

Last reviewed: 1 June 2026

First 10 minutes

Try to log in and use the provider's account recovery flow if locked out
Once in, change the password immediately to something strong and unique
Enable two-factor authentication using an authenticator app
Check for and remove any new forwarding rules, filters, or linked addresses
Sign out all other active sessions and devices

First 24 hours

Change passwords on any accounts that use this email for sign-in or password resets
Check sent mail for emails dispatched without your knowledge
Warn contacts who may have received suspicious messages from your address
Review any financial or sensitive services linked to the email
Report the compromise to the email provider

Contact your bank or payment provider

If your banking is linked to this email, alert your bank and verify no password resets were triggered
Consider temporarily locking your online banking pending a full security review

Evidence to preserve

Note the date and time you first noticed the issue
Record any suspicious sent emails, forwarding rules, or login alerts
Save any notification or alert emails from the provider
Document logins from unknown devices or locations in account activity

Secure your accounts and devices

Prioritise accounts with financial, medical, or identity data linked to this email
Update your password manager if you use one
Enable app-based 2FA on every important account — not SMS if possible
Review account recovery options and remove ones the attacker could use
Check for OAuth or app permissions granted during the compromise

Report it

Report to your national fraud/cybercrime service
Report to the platform, bank, or provider involved
Keep any reference numbers you're given

Your email account is the master key to most of your online life — because it can reset passwords for almost every other service you use. Regaining control and locking it down is the single highest-priority action after any account compromise.

Once you are back in, move quickly to undo any damage: remove forwarding rules that send copies to the attacker, check sent mail to understand what was accessed or sent in your name, and then work through every important account that used this email for authentication.

If you cannot recover the account through the provider's normal flow, contact their support team directly. Most major providers have an account recovery process for compromised accounts.

Frequently asked questions

The attacker changed my recovery phone number — what do I do?

Use the provider's identity verification process — you may need to prove ownership through previous activity, linked devices, or a government ID. Contact provider support directly if the standard flow fails.

Should I create a new email address instead?

Only as a last resort if the account cannot be recovered. If you must start fresh, update every important account and ensure the old address cannot be reactivated and misused.

How did the attacker get in?

Common routes include phishing, reused passwords exposed in a breach, and SIM swapping. Enabling 2FA and using unique passwords for each account prevents most of these routes.

What if scam emails were sent from my address to my contacts?

Warn your contacts directly (call or text, not from the compromised account) so they know to ignore the messages and not click any links.

Sources

First 10 minutes

Try to log in and use the provider's account recovery flow if locked out

Once in, change the password immediately to something strong and unique

Enable two-factor authentication using an authenticator app

Check for and remove any new forwarding rules, filters, or linked addresses

Sign out all other active sessions and devices

First 24 hours

Change passwords on any accounts that use this email for sign-in or password resets

Check sent mail for emails dispatched without your knowledge

Warn contacts who may have received suspicious messages from your address

Review any financial or sensitive services linked to the email

Report the compromise to the email provider

Secure your accounts and devices

Prioritise accounts with financial, medical, or identity data linked to this email

Update your password manager if you use one

Enable app-based 2FA on every important account — not SMS if possible

Review account recovery options and remove ones the attacker could use

Check for OAuth or app permissions granted during the compromise

Frequently asked questions

The attacker changed my recovery phone number — what do I do?

Should I create a new email address instead?

Only as a last resort if the account cannot be recovered. If you must start fresh, update every important account and ensure the old address cannot be reactivated and misused.

How did the attacker get in?

Common routes include phishing, reused passwords exposed in a breach, and SIM swapping. Enabling 2FA and using unique passwords for each account prevents most of these routes.

What if scam emails were sent from my address to my contacts?

Warn your contacts directly (call or text, not from the compromised account) so they know to ignore the messages and not click any links.