How to Tell If Your Email Has Been Hacked and What to Do (2026)

Maybe your password suddenly stopped working, or a friend texted asking why you sent them a strange link. Perhaps you spotted a sign-in alert from a city you've never visited, or your Sent folder is full of messages you never wrote. These are the classic signs that someone else is in your email.

The good news is that you can almost always take it back, and you can lock the intruder out for good. The order of operations matters, though. Do things in the wrong sequence and the attacker walks right back in.

This guide walks you through confirming the hack, containing it safely, and then locking down Gmail, Outlook.com, Yahoo Mail, and Apple Account, with the exact verified menu paths for each. Start at the top; the quickest, most common steps come first.

Confirm the Signs Before You Touch Anything

First, make sure this is really a compromise and not a glitch. Look for the telltale signs: your password no longer works; you receive password-reset or login-verification emails you didn't request; sign-in alerts mention unfamiliar devices or locations; contacts report spam or phishing "from you"; your Sent folder holds messages you didn't send.

Watch for the quieter signs too. An emptied Sent folder, missing emails, or vanished security alerts can be the only evidence, because attackers often delete those notices to hide their tracks. Changed account settings (recovery email or phone, signature, name), new forwarding, or new filter rules you didn't create are also red flags.

If you can still sign in, do it now on a device you trust to confirm you still have access.

Run a Full Malware Scan First, Before Changing Your Password

This is the step almost everyone skips, and it undoes everything else. If a keylogger or infostealer is sitting on your device, it captures your new password the instant you type it, and the attacker is right back in.

Make sure your security software is up to date, then run a full scan. On Windows, open Windows Security, select the "Virus & threat protection" tab, choose "Scan options," select "Full scan," then "Scan now." Run that full scan before you change your password.

Why a malicious app or extension matters: a single over-permissioned browser extension or third-party app can keep reading your mail through tokens or app passwords even after a password change, so cleaning the device comes first.

Check Have I Been Pwned to See What Leaked

The single most common way email accounts fall is a reused password exposed in someone else's data breach. Attackers take leaked email-and-password pairs and try them against your mailbox.

Go to haveibeenpwned.com, type your email address, and select "pwned?". If it returns "Oh no, pwned!", treat that password as fully compromised and plan to change it everywhere you reused it. You can optionally check a specific password at haveibeenpwned.com/Passwords, where only a partial hash of the password is sent.

Secure a Hacked Google Account or Gmail

If you can still sign in, sign in to your Google Account and open Security. Under "Recent security events," choose "Review security events" and mark anything unfamiliar with "No, it wasn't me" (choose "Yes" for activity you recognize).

1. 1.Open "Your devices," select "Manage devices," find any unrecognized device, and use "Don't recognize a device?" to sign it out.
2. 2.Change your Google Account password to a strong, unused one, then change it on any other site that shared it.
3. 3.Turn on 2-Step Verification (a Google prompt, authenticator app, security key, or backup codes).
4. 4.Run Password Checkup at passwords.google.com/checkup/start.
5. 5.Review for tampering: recovery phone, recovery email, alternate or contact email, account name, 2-Step Verification methods, and "Less secure app access." Revoke unknown apps at myaccount.google.com/permissions.

Then clean Gmail itself, where attackers hide persistence. Review and remove anything unfamiliar in "Mail delegation," "Automatic mail forwarding," "Scheduled emails," "Automatic reply," "Address on outgoing mail" (send-as), "Blocked email addresses," IMAP/POP remote access, and "Filters and Blocked Addresses." Delete any unfamiliar Labels, Filters, and Forwarding rules. Forwarding is the number-one thing people miss, because it silently copies your mail, including password resets, to the attacker.

For added hardening, remove suspicious Chrome extensions and update Chrome, enable a screen lock, and review Google Drive activity and Google Photos sharing. If cards are saved in Google Pay or Chrome, contact your bank.

If You Cannot Sign In to Google, Use Account Recovery

If someone changed your password, recovery phone, or deleted the account, go to accounts.google.com/signin/recovery and answer the questions as accurately as you can. Forgot your username? Use accounts.google.com/signin/usernamerecovery with a recovery phone or email plus the full name on the account.

Two reassuring facts: wrong guesses won't kick you out, and there's no limit on attempts, so answer everything even if unsure. Note that recovery-info changes can take up to 7 days to take effect. Never use third-party recovery services and never share verification codes; there is no phone number to call Google for account recovery. For a work or Workspace account, contact your administrator instead.

Recover a Hacked Microsoft or Outlook.com Account

After your malware scan, change your password at account.microsoft.com if you can sign in. If you can't, reset it through Microsoft's password-reset flow and create a strong password.

Next, review your account settings for attacker changes to Connected accounts, Forwarding, and Automatic replies. Then clean the two persistence spots inside Outlook.com:

1. 1.Turn off rogue forwarding: select Settings, then Mail > Forwarding, clear "Enable forwarding" (or select "Disable forwarding"), then select "Save." You may need two-step verification enabled and may be asked to verify your identity.
2. 2.Remove malicious inbox rules: Settings > Mail > Rules. Use the toggle next to a rule to disable it, or select Delete to remove it. Watch for rules that move, delete, or forward "all messages," odd random-character names, or rules targeting words like "bank," "password," or "invoice."

Because these rules are server-side, a new rule only affects mail received after it was created. Also review billing and subscriptions for unrecognized purchases, and restore any deleted email.

Use the Microsoft Recovery Form If You're Locked Out

If the attacker changed your recovery details, go to the recovery form at account.live.com/acsr. Provide a working email Microsoft can reply to; it can even belong to a friend, since it's only used to contact you.

Gather identifying details: old passwords you may have used (check saved passwords in your browser or keychain), names of contacts, and exact email subject lines for Outlook.com or Hotmail. Submit from a device and location Microsoft already recognizes, such as home or office, to improve your odds. You can submit up to twice per day with no overall cap, and Microsoft responds within 24 hours.

Secure a Hacked Yahoo Mail Account

Yahoo compromises often show up as missing inbound email, spam sent to your contacts, logins from unexpected locations, or settings you didn't change. Change your password immediately, then work through the rest.

1. 1.Delete any app passwords you don't recognize, and revoke app passwords after the reset.
2. 2.Confirm your recovery email and mobile number are correct, and remove anything an attacker added.
3. 3.Revert altered mail settings: filters, sending name, signature, reply-to address, send-only addresses, vacation response, default sending address, blocked addresses, and the auto-forwarding address.
4. 4.Install or update antivirus and scan your device.
5. 5.Turn on two-step verification.

To inspect activity, go to login.yahoo.com/account/security. Review "Current sign-ins," "External connections," and "Recent account activity." To sign out a device, click it under "Current sign-ins," then "Sign out." To cut off an app, open "External connections," select "App passwords," click the app, then "Delete app password." If you can't regain access, contact Yahoo Customer Care.

What to Do If Your Apple Account Is Compromised

Signs include Apple notifying you about activity you don't recognize, unexpected two-factor codes, messages you didn't send, an unrecognized trusted device, or a password that no longer works.

1. 1.Change your password at account.apple.com to a strong, unique one (or use the reset flow if you can't).
2. 2.Update your account information there, correcting anything you don't recognize.
3. 3.Open the Devices section and remove any device you don't recognize.
4. 4.Contact your email provider and cellular carrier to confirm you control all associated addresses and phone numbers, and check for unauthorized SMS forwarding.
5. 5.If you can't sign in, start account recovery at iforgot.apple.com (there may be a waiting period).

To harden the account, turn on two-factor authentication, consider Security Keys, review all signed-in accounts across your iPhone, iPad, Mac, Apple Watch, HomePod, and Apple TV, and enable Stolen Device Protection on iPhone.

Report the Hack and Warn Your Contacts

Once the account is secured, warn your contacts not to click links in or reply to suspicious messages "from you," and to ignore any requests for money. Change the password on every other account that shared the same one.

If you're in the U.S. and suspect identity theft, go to IdentityTheft.gov to file a report and get a personalized recovery plan; include your email so the steps can be sent to you. Report fraud or scams at ReportFraud.ftc.gov. You can also place a free one-year fraud alert by contacting one of the three credit bureaus, which must notify the other two, making it harder for someone to open accounts in your name.

Frequently Asked Questions

Why should I scan for malware before changing my password? If your device is infected with a keylogger or infostealer, it captures the new password the moment you type it, and the attacker is straight back in. Microsoft, Google, and the FTC all advise running a full scan first.

I changed my password, so why is the hacker still reading my mail? Changing your password does not automatically sign out existing sessions, revoke connected apps, or remove hidden forwarding and filter rules. You must separately review active devices and sessions, revoke third-party access and app passwords, and delete any forwarding rules or filters the attacker created.

What is the most overlooked sign of a hacked email? Hidden auto-forwarding and inbox rules. An attacker can silently forward copies of all your mail, especially password-reset emails, to themselves. Equally telling is what's missing: a deleted security alert, an emptied Sent folder, or vanished reset emails can be the only sign, since intruders delete those to cover their tracks.

Someone called offering to recover my account. Should I trust them? No. Never share passwords or verification codes, and don't use third-party account-recovery services. Google explicitly warns against them and notes there is no phone number to call for account recovery. Use only the provider's own recovery flow.

I'm completely locked out. What now? The attacker likely changed your recovery email or phone, so use the provider's dedicated recovery flow: accounts.google.com/signin/recovery for Google, account.live.com/acsr for Microsoft, Yahoo Customer Care for Yahoo, and iforgot.apple.com for Apple. With Google there's no limit on attempts and wrong guesses won't lock you out, though recovery changes can take up to 7 days. Apple recovery may impose a waiting period.

How did my email get hacked in the first place? The most common cause is a reused or weak password exposed in another site's data breach, then tried against your mailbox. Other routes include phishing pages that capture your password, malware on your device, a malicious or over-permissioned app or extension, signing in on public Wi-Fi or shared computers, and SIM-swap or SMS interception that intercepts your verification codes.