Key takeaways
- Email is often a reset key for other accounts, so recovery must include downstream services.
- Changing the password is not enough if forwarding rules, recovery methods, sessions, or app access remain compromised.
- Use a clean device and the provider’s official recovery process, then notify contacts who may receive scams.
- Repair accounts that relied on the inbox only after removing the attacker’s persistence.
Recognize the takeover pattern
- A password or recovery method changed without you.
- A login alert names an unknown device or location.
- Contacts receive mail you did not send.
- Messages disappear, move, or are marked read.
- Password-reset messages for other accounts appear or vanish.
- Rules forward mail to an unfamiliar address.
Start from a device you can trust
Update the operating system and security tools and scan for unwanted software when malware is possible. If the device is managed by an employer or school, contact its security team instead of running unapproved tools.
Navigate directly to the email provider’s official account-recovery page. Do not use a recovery phone number or link from an unsolicited message claiming to help with the hack.
Remove persistence after access returns
- 1
Change to a unique password and enable the strongest supported MFA or passkey.
- 2
Sign out other sessions and revoke unknown devices, app passwords, connected apps, tokens, and delegates.
- 3
Review recovery email, phone, security keys, and backup codes.
- 4
Delete unauthorized forwarding, inbox rules, filters, signatures, auto-replies, and mailbox permissions.
- 5
Check sent, deleted, archive, and trash folders to understand what the attacker did.
Repair the downstream accounts
| Priority | Action |
|---|---|
| Password manager and platform account | Review sessions, recovery, and stored credentials |
| Banking, tax, benefits, health | Check changes and unauthorized activity |
| Mobile carrier | Protect against number takeover and account changes |
| Cloud and social | Review sharing, messages, posts, and recovery |
| Reused password accounts | Replace every reuse with a unique credential |
Warn contacts and preserve evidence
The FTC recovery guide recommends telling contacts not to trust messages sent during the compromise. Name the approximate period and the type of request, without forwarding a malicious link.
Save provider alerts, suspicious headers, settings, financial changes, and recovery steps. If identity information or money was exposed, contact the affected institutions and use IdentityTheft.gov for a tailored recovery plan.
Evidence record
Sources and methodology
We used primary public sources for the factual framework, then wrote and structured this guide independently. Links are checked during editorial review and when a guide is substantively updated.
- How to Recover Your Hacked Email or Social Media AccountFederal Trade Commission · Used for: Takeover signs, recovery, settings, and contact notification
- IdentityTheft.govFederal Trade Commission · Used for: Identity-theft recovery after account compromise
This article is general educational information, not individualized financial, medical, legal, tax, cybersecurity, construction, or career advice.