Yahoo Mail Account Hacked? Steps to Secure It Now

You signed in to check your inbox and something felt off. Maybe a friend mentioned strange messages they got from your address, or your security page is showing logins from places you

T

Technobezz

Senior Editor

Jun 2, 2026
9 min read

Contents

Don't Miss the Good Stuff

Get tech news that matters delivered weekly. Join 50,000+ readers.

You signed in to check your inbox and something felt off. Maybe a friend mentioned strange messages they got from your address, or your security page is showing logins from places you have never been. A hijacked Yahoo Mail account is unsettling because it often holds the keys to your other logins, your contacts, and years of personal correspondence. The good news is that you can take back control if you move quickly and work through the right sequence of fixes.

This guide walks you through confirming the breach, locking the intruder out, undoing the changes they made, and hardening the account so it does not happen again. Work through the steps in order, since each one builds on the last.

Telltale Signs Your Account Was Compromised

Before you start changing settings, make sure you are actually dealing with a hack and not a temporary glitch. Yahoo points to a handful of clear warning signs that an account has been taken over.

  • You are not receiving any emails.
  • Your Yahoo Mail is sending spam to your contacts.
  • You see logins from unexpected locations on your security page.
  • Your account info or mail settings were changed without your knowledge.

If one or more of these apply to you, treat the account as compromised and move straight into the steps below. Acting on the assumption of a breach is far safer than waiting to be certain.

Fix 1: Change Your Password Right Away

Your first move is to cut off the intruder's access by setting a new password. While you are signed in, head to the Yahoo Account security page at login.yahoo.com/account/security. This is the central hub for everything related to securing your account.

  1. 1.Under "Ways of signing in," select the password option.
  2. 2.Enter a new password.
  3. 3.Confirm to save the change.

If you have Account Key enabled, you may need to disable it before you can set a new password. Changing the password is the first action in Yahoo's own hacked-account guidance, so do not skip it.

Fix 2: Reset Your Password If You Are Locked Out

Sometimes the attacker changes your password before you do, leaving you shut out entirely. In that case, you cannot sign in to reach the security page, so you will use Yahoo's Sign-in Helper instead. Go to login.yahoo.com/forgot to start the recovery flow.

  1. 1.Enter your recovery email address or recovery phone number.
  2. 2.Continue to the next screen.
  3. 3.Follow the on-screen instructions to regain access.

Once you are back in, return to Fix 1 and set a strong new password before continuing with the rest of this list.

Fix 3: Delete App Passwords You Do Not Recognize

App passwords are a sneaky way for an intruder to keep access even after you reset your main password. That is because app passwords can stay active even when the primary password changes, so you have to revoke them by hand.

On the Yahoo Account security page, open the section for generating and managing app passwords. Then delete any app password you do not recognize. Yahoo's hacked-account guidance specifically calls out deleting app passwords you do not recognize, so review the full list carefully before you finish here.

Fix 4: Find and Remove Unusual Account Activity

Next, you want to see exactly who and what is connected to your account so you can boot out anything suspicious. The security page lets you review where the account is signed in, which third-party apps are connected, and the most recent changes made to the account.

Work through each of these areas. Sign out any device you do not recognize, and remove access for any connected app you did not authorize. Reviewing all of them ensures no lingering session stays open.

Fix 5: Update Your Recovery Email and Phone Number

Attackers often swap in their own recovery details so they can quietly reclaim the account later. Confirming your recovery options are current is one of the actions Yahoo lists in its hacked-account guidance, so it deserves real attention.

On the Yahoo Account security page, under "Ways of signing in," add a recovery email or phone number that you control. Then remove any recovery email or phone number you do not recognize, confirming each removal as you go. Make sure the only recovery methods left are ones that belong to you.

Fix 6: Turn On Two-Step Verification

Two-step verification is your strongest defense against a repeat takeover, since it requires a code in addition to your password whenever you sign in from a new device or browser. Even if someone learns your password again, they cannot get in without that second factor.

Sign in to your Account security page, then under "Ways of signing in," open the two-step verification option. Choose one of these methods and follow the on-screen prompts.

  • Push notification.
  • Your phone number.
  • An authenticator app.

If you currently use Yahoo Account Key, you may need to disable it first so you can enable two-step verification.

Fix 7: Reverse the Mail Settings an Attacker May Have Changed

Once someone has access, they often quietly alter your mail settings to keep intercepting messages or impersonating you. Yahoo advises checking the commonly changed settings and reverting anything you did not set yourself.

  • Email filters.
  • Sending name.
  • Email signature.
  • Reply-to address.
  • Send-only address.
  • Vacation response.
  • Default sending address.
  • Blocked addresses.
  • Auto-forwarding address.

Go through each one and restore it to what you expect. Unfamiliar filters and a changed reply-to address are especially common tricks, so do not rush this review.

Fix 8: Shut Down Unauthorized Auto-Forwarding

Auto-forwarding deserves its own step because it lets an intruder keep reading your incoming mail long after you have changed your password. Open your Yahoo Mail settings and look for the forwarding section under your mailbox options.

If you find a forwarding address you did not set up, remove it and save your changes. A forwarding entry you do not recognize is a strong red flag, so do not assume it is harmless. Removing it closes off one of the quietest ways an attacker can keep watching your inbox.

Habits That Keep Your Account Locked Down

Securing the account once is good, but staying secure is what keeps the hacker from coming back. Yahoo recommends a set of ongoing best practices that are worth building into your routine.

  • Use a strong, unique password and change it regularly.
  • Keep a current, secure recovery email and mobile number on file.
  • Make sure antivirus software is installed and kept updated.
  • Always sign out when using shared or public computers.
  • Avoid clicking uncertain links, even when they come from friends.

One rule is worth committing to memory: Yahoo never asks for your password in emails or phone calls. Any message that does is a scam, full stop. If you still cannot regain access after working through these steps, turn to Yahoo's official help resources for further assistance.

Frequently Asked Questions

How do I know for sure my Yahoo Mail was hacked?

Look for Yahoo's listed warning signs: you stop receiving emails, your account sends spam to your contacts, your security page shows logins from unexpected locations, or your account info and mail settings were changed without your knowledge. If any of these are present, treat the account as compromised.

Why do I need to delete app passwords after changing my main password?

App passwords can stay active even after you change your main password, so changing your password alone does not always revoke them. To fully cut off access, open the Yahoo Account security page, go to the section for managing app passwords, and delete any app password you do not recognize.

What should I do if I cannot sign in at all?

Use the Sign-in Helper at login.yahoo.com/forgot. Enter your recovery email or recovery phone number, continue to the next screen, and follow the instructions to regain access. Once you are back in, change your password and continue securing the account.

Will two-step verification stop a future hack?

Two-step verification adds a strong layer of protection because it requires a code in addition to your password whenever you sign in from a new device or browser. Even if someone obtains your password again, they cannot sign in without that second code. If you use Yahoo Account Key, you may need to disable it first to enable two-step verification.

Should I check for auto-forwarding even after changing my password?

Yes. Auto-forwarding can let an intruder keep reading your incoming mail long after a password change, so open your Yahoo Mail settings and review the forwarding section. If you find a forwarding address you did not set up yourself, remove it and save your changes.

Share