Hacked email recovery: how to get your account back
If someone has taken over your inbox, here is the short version: change the password if you still can, sign out every device, and if you are already locked out go straight to your provider's official recovery page and start their identity check. Do it now, in that order. The reason speed matters is simple. The first thing an attacker does is change your recovery phone and backup email so you cannot claw your way back in. Beat them to it and this is very fixable. Below is the full process, plain English, no jargon, and what to do if the provider's own process leaves you going in circles.
First hour: act, do not panic
Account takeover feels like a fire, and that pushes people into the two worst moves: doing nothing while they work up the nerve, or thrashing at the login and locking the account harder. Neither helps. The window that matters is the first hour, before the attacker finishes locking you out and starts using the inbox as a skeleton key for everything else.
Two situations, two paths. If you can still log in, you are in a strong position: change the password, then find the setting that signs out or revokes all other sessions and use it. That one click ends the sessions the attacker already has open, which a password change alone does not always do. If you are already locked out, stop guessing passwords and open your provider's official account recovery page. Every major provider has one, and it is the only door that reliably works.
Is it actually hacked, or just playing up?
Before you go into full recovery mode, be sure it is a hack and not a synced-password glitch or an app that needs re-signing-in. Real takeover usually shows more than one of these:
- Your normal password stops working, and a reset does not fix it because the reset email or code goes somewhere you no longer control.
- There are sent emails, or password-reset requests to other services, that you did not make.
- People you know say they received strange messages or scam links from your address.
- Your recovery phone number or backup email has changed and you did not change it.
- You got a sign-in alert from a city or device you have never used.
One of these is enough. Do not talk yourself out of it because it "might be nothing." The cost of acting on a false alarm is a few minutes. The cost of ignoring a real one is your whole digital life.
Getting back in: work the official process
Recovery is not about finding a clever trick. It is about proving to the provider that you are the real owner, and giving their automated system every reason to believe you. A few things genuinely tip the odds in your favour:
- Use a device you have signed in on before. Providers weigh a recognised phone or computer heavily. A brand-new device from a strange location looks exactly like the attacker.
- Use a network you normally use. Your home internet is a familiar fingerprint to the provider. Doing recovery over a random public hotspot or a VPN in another country works against you.
- Answer honestly, even when you are not sure. Old passwords, the rough month you created the account, contacts you email often. Best honest guesses beat perfect-looking lies, because their system cross-checks against real history.
- Do not spam the form. Submitting the recovery request ten times in a row can flag the account and slow everything down. Fill it in carefully once, then wait for the response.
Recovery can take a few tries and sometimes a day or two while the provider verifies you. That is the system doing its job. It is deliberately hard to take an account off someone, which is annoying now but is the same wall protecting you from the attacker.
You are back in. Now lock it down properly.
Getting back in is only half the job, and it is the half people stop at. An attacker who had your inbox almost always leaves a way back in, so assume they did and go looking. In order:
- Set a strong, unique password. New, long, and never used on any other account. If it is a password you have typed anywhere else, treat it as already known.
- Turn on two-step verification. This is what stops a stolen password being enough on its own. An authenticator app is more robust than a text message. If you want the detail, see our guide on two-factor authentication setup without locking yourself out.
- Kill hidden forwarding and filters. This is the step almost everyone misses. Attackers set a rule that quietly copies your incoming mail to their own address, or a filter that auto-deletes the provider's security warnings so you never see them. Open your mail settings, check forwarding, check every filter or rule, and delete anything you did not create.
- Check recovery details and connected apps. Remove any recovery phone or backup email you do not recognise. Then look at the list of third-party apps with access to the account and revoke anything you do not use or trust.
- Reset everything that leans on this inbox. Your email is the master key: whoever controls it can reset the password on your bank, your shopping accounts, your social media. Change those passwords too, banking and money-holding accounts first.
Why recovery is the real weak point
Here is the part most advice skips, and it is the reason a well-defended account still gets taken. A strong password and two-step verification guard the front door, the normal login. They do very little for the back door, account recovery. Attackers do not brute-force a good password. They trigger a "forgot password" flow and aim it at whatever recovery channel is weakest, an old backup email you forgot you had, a phone number that lapsed, a security question with an answer that is on your public profile. Once they own the recovery path, your login protections are simply bypassed. That is why "just use a strong password" is not the whole answer, and why cleaning out stale recovery details after you get back in matters as much as the password itself.
What not to do
A few things make it worse, and they are worth saying plainly. Do not pay anyone who claims they can restore your account for a fee, and never pay an attacker holding it to ransom. Paying gets you nothing enforceable and usually another demand. Do not create a brand-new email and abandon the old one while it is compromised, because the attacker still has the keys to every service tied to it. And do not reuse the old password anywhere just because it is familiar. If it was on the hacked account, consider it public.
When it is beyond a DIY fix
Sometimes the provider's process loops without ever verifying you, or the account holds something too important to gamble on getting wrong: a business inbox, years of family photos, the recovery point for your money. That is not you failing. Account takeover is engineered to be hard to unwind, and the automated recovery systems are blunt instruments that do not always recognise a genuine owner. If you would rather not do it alone, a calm, patient hand who has walked this path before can make the difference. Start assisted recovery with us and we will help you get back in safely, in the right order, at your pace.
Frequently asked questions
What is the first step in hacked email recovery?
If you can still log in, change the password right now and sign out every other device from the account's security settings. That kicks the attacker out of the sessions they already have. If you are already locked out, go straight to your provider's official account recovery page and start their identity check. Speed matters, because the first thing an attacker changes is your recovery phone and backup email so you cannot get back in.
How do I know if my email has really been hacked?
The clear signs are: your usual password stops working, there are sent messages you did not write, contacts say they got odd emails from you, your recovery phone or backup email changed without you doing it, or you get alerts about sign-ins from places you have never been. A single one of these is enough to act on. Do not wait for a second sign.
What should I do after I get my email account back?
Set a strong, unique password, turn on two-step verification, then hunt for what the attacker left behind: hidden forwarding rules, filters that auto-delete provider warnings, and any recovery phone or backup email you do not recognise. Remove all of it. Then reset the passwords on anything that uses that inbox to recover, starting with banking, then anything that holds money or card details.
Should I pay a hacker who is holding my email to ransom?
No. Paying does not get your account back, because the person you are paying has no obligation to keep their word and often no way to reverse what they did. Work the provider's recovery process instead. That is the only path that actually restores control, and it costs nothing.