Hacked Gmail account: recover it step by step
The short version: go to accounts.google.com/signin/recovery on a device you normally use, answer with the last password you remember, and if the hacker changed your recovery email or phone, answer with the details you originally set, Google still recognises them for a period. There is no Gmail phone support, so do not pay anyone who says otherwise. The full process is below, including what to do when the form keeps looping.
Start here: the official recovery path
Gmail recovery is entirely automated, which cuts both ways. There is no human to convince, but there is also no human for the attacker to trick. Your job is to give the system the signals it trusts, in this order:
- Open Google's account recovery page. Go to accounts.google.com/signin/recovery. This is the only door. Google has no support line that can recover a free Gmail account, so anyone on the phone offering to do it for a fee is a scam.
- Use a device and network Google already knows. Run recovery from the phone or computer you normally use Gmail on, at home on your usual internet connection. A familiar device on a familiar network is the strongest signal you can send that you are the real owner.
- Answer with the last password you remember. Even if it is months old, the last password you actually remember is a strong proof. Honest near-misses beat confident wrong answers, because Google cross-checks against the account's real history.
- Answer the recovery prompts with your original details. If the attacker swapped your recovery email or phone, answer with the details you originally set up. Google's system recognises previous recovery details for a period after a change, precisely because attackers change them first.
- Wait, then retry from the same device. If the first attempt fails, do not spam the form. Wait, then try again from the same device with any extra detail you can add. Repeated rapid-fire attempts from new devices look like the attacker.
If the hacker changed your recovery email or phone
This is the standard first move in a Gmail takeover, and Google engineered the recovery flow around it. Changed recovery details do not take effect as the only truth immediately: the form will still ask about, and accept, the recovery email and phone number that were on the account before. So answer as the account owner you were, not as the account looks now. If you got a "recovery email was changed" alert from Google to your backup address, use the link in that alert too, it can reverse the change directly if you act quickly.
Back in? Lock it down before you do anything else
- Run the Security Checkup at myaccount.google.com and remove any device, session or app access you do not recognise.
- Check Gmail forwarding and filters. Settings, then Forwarding and POP/IMAP, then Filters. Attackers add a quiet forward of everything to their own address, or a filter that auto-deletes security warnings. Delete anything you did not create.
- Fix your recovery details. Remove any phone or email you do not recognise, and set recovery details you actually control today.
- Set a new, unique password and turn on two-step verification. An authenticator app beats SMS. Our two-factor authentication setup guide shows how to do it without locking yourself out.
- Reset the passwords of accounts that recover through this Gmail, banking and money first. Whoever held the inbox could have reset any of them.
If you cannot get back in
If the official process keeps looping, do not pay anyone who cold-calls or advertises instant recovery, and never pay a ransom for your own account. In Australia, report the takeover through ReportCyber at cyber.gov.au, and if money or identity documents are involved, IDCARE provides free, government-funded support. If the account matters too much to gamble on, our assisted recovery works the provider's process for you: verified identity first, then patient, documented escalations. Start here.
Stop the next one before it starts
Getting the account back is the urgent half. The lasting half is closing the back door that let this happen: account recovery. A strong password and two-step verification guard the login, but a "forgot password" flow aimed at a weak recovery channel walks straight past both. Our guide to the recovery gap explains the mechanics, and the email security guide covers the five moves that actually matter. If you want the back door watched for you, that is exactly what SAFE2RECOVER does: we hold and guard the recovery mail for your important accounts, so a reset you did not ask for gets stopped before it lands. Get protected, there is no card required to start.
Frequently asked questions
Can I phone Google to recover my Gmail account?
No. Google does not offer phone support for free Gmail accounts, and it does not outsource recovery to third parties. Any phone number claiming to be Gmail support, and any ad promising instant Gmail recovery for a fee, is a scam. The recovery form at accounts.google.com/signin/recovery is the only official path.
The hacker changed my recovery phone and email. Is my Gmail gone?
Not necessarily. Google's recovery flow still recognises your previous recovery details for a period after they are changed, because attackers changing them is the most common takeover pattern. Answer the form with the recovery email and phone you originally set, from a device you have used with the account before.
Why does Google keep saying it cannot verify it is me?
The automated system weighs signals: device, location, password history, account age answers. Improve the signals you control. Use the exact device and home network you always used, answer with your last remembered password even if old, and try at a normal hour for your timezone. Then add anything new you remember and try again after a day, not ten times in an hour.
What should I check first after I get my Gmail back?
Run Google's Security Checkup, then open Gmail settings and check Forwarding and POP/IMAP, and every filter. Attackers add a quiet forward of your mail to themselves, or a filter that deletes Google's security alerts. Remove anything you did not create, remove unknown devices and app access, then turn on two-step verification.