Your Email Got Hacked? The Steps That Actually Lock the Intruder Out

Few things feel as violating as realizing someone else is inside your email. Maybe friends say they got a strange message "from you," maybe you got an alert about a sign-in from a city you've never been to, or maybe your password just stopped working. Whatever the tip-off, the instinct is right: act fast. But the part most people get wrong is thinking the job is "change my password and I'm done." On a seriously compromised account, changing the password alone often doesn't lock the intruder out — because while they were in there, they quietly set up ways to get back in.

This is different from being locked out because you forgot your password or got stuck in a verification loop (we cover that in our guide to 2FA lockouts). This is the other situation: you may still be able to log in, but someone else has been in there too, and you need to evict them and change the locks. Here's the cleanup in the order that actually works, the way we walk people through it across Southern California and the Coachella Valley.

First, make sure it's really hacked — and grasp why it matters so much

The clear signs, per the FTC: you can't log in even though you're sure of the password; you got a notice of a password or recovery-info change you didn't make; or you got an alert about a sign-in from a device or place that isn't you. Other tells are spam or odd messages in your Sent folder that you didn't write, replies to messages you never sent, or contacts telling you they got junk from your address. Any one of these is enough to treat the account as compromised and work through the steps below.

Why the urgency? Your email isn't just another account — it's the master key to almost everything else. Your bank, Apple or Google account, Amazon, PayPal, and most other logins all use email to reset a forgotten password. So whoever controls your inbox can request a reset on those accounts, grab the link that lands in your inbox, and take them over too. That's why a hacked email is an emergency and not just an annoyance, and why the cleanup doesn't end at the inbox itself.

Step 1: Get to a device you trust — and scan it before you change anything

Here's a step almost every quick guide skips, and it matters: before you change your password, make sure the device you're using is clean. Microsoft's own recovery guidance is explicit about this — "run a full scan on your PC before you change your password." The reason is simple and a little unsettling: if your computer or phone is infected with a password-stealer or keylogger (which is how a lot of accounts get taken in the first place), then the brand-new password you type in gets captured and handed straight back to the attacker. You'd be handing them the new key the moment you cut the old one.

So start on a device you trust, and run a full malware scan on it first. On Windows, the built-in Microsoft Defender is plenty for this — open Windows Security and run a full scan (our guide to scanning for viruses walks through it, and our antivirus piece explains why you usually don't need to buy anything). If you have any doubt about the computer the hack may have come through, do the next steps from a different device you know is clean — another computer, or your phone on cellular data — rather than the suspect machine.

Step 2: Change the password — then sign out everywhere

Now change your email password to something strong and, crucially, unique — not a tweak of the old one and not a password you use anywhere else. A longer passphrase of a few unrelated words is both stronger and easier to remember than a short jumble. If you can still log in, the password setting is under your account's security page; if you can't get in at all, skip to the locked-out section below.

Changing the password is necessary but, by itself, often not enough — because the attacker may already be signed in, and an existing session can keep running even after the password changes. So immediately do the step that actually kicks them off: sign out of all sessions everywhere. Google calls this managing your devices (Security > "Manage all devices," then sign out anything you don't recognize); Microsoft and most providers have a "sign out everywhere" option in account security. This drops every active session, including the hacker's, and forces every device to log in fresh with the new password they don't have.

Step 3: The step almost everyone misses — hidden forwarding rules and filters

This is the most important and most-skipped part of the whole cleanup. A smart attacker doesn't just read your mail while they're logged in — they set up automatic rules so they keep getting your mail and stay hidden even after you change the password and sign them out. There are two classic tricks, and you have to go hunting for both because nothing about them is obvious from your inbox.

The first is a secret auto-forwarding rule: a copy of your incoming mail is quietly forwarded to an address the hacker controls, so they keep seeing everything — including the password-reset emails for your other accounts. The second is a malicious filter: a rule that automatically deletes, or files away into the Trash or an odd folder, any message containing words like "password reset," "verification," "security alert," or your bank's name — so the warnings that would tip you off never reach you. In Gmail, open Settings (the gear) > See all settings > "Forwarding and POP/IMAP" and remove any forwarding address you don't recognize, then check "Filters and Blocked Addresses" and delete any filter you didn't create. In Outlook.com, go to Settings > Mail > Forwarding, and Settings > Mail > Rules, and remove anything unfamiliar. While you're in mail settings, also check your "automatic replies" / vacation responder — attackers sometimes set an auto-reply that pushes a scam link to everyone who writes to you.

Step 4: Close the other back doors — recovery info and connected apps

A determined intruder leaves more than one way back in. The big one is your recovery information: the backup phone number and email address used to reset the account. If a hacker swapped in their own phone or email there, they can trigger a "forgot password" and take the account straight back, even after everything above. Open your account's security or personal-info page and confirm the recovery phone number and recovery email are yours and only yours — remove anything you don't recognize.

Next, review which apps and devices have access to your account. Both Google and Microsoft list "connected" or "third-party" apps that you've granted access to over the years; an attacker may have authorized one to keep a foothold. Remove anything you don't recognize or no longer use. This is also where Google's built-in "Security Checkup" (and Microsoft's "Recent activity" page) earns its keep — it walks you through recovery info, recent sign-ins, connected apps, and devices in one place and flags what looks off.

Step 5: Turn on two-factor authentication

Now lock the door behind you. Turn on two-factor authentication (2FA), sometimes called two-step verification, on the email account. With it on, your password alone is no longer enough to get in — a second step is required, like a code from an authenticator app or a prompt approved on your phone — so even if the attacker grabs or guesses your password again, they're stopped at the door. In practice this is the single change that most reliably keeps a re-hacked account from happening, and providers report it often stops malicious rules from quietly recreating themselves, too.

An authenticator app (Google Authenticator, Microsoft Authenticator, or similar) or a passkey is sturdier than text-message codes, which can be intercepted by SIM-swap tricks — but any 2FA is hugely better than none. Whatever method you choose, save the backup or recovery codes it gives you somewhere safe and offline, so a future hiccup doesn't lock you out of your own account. If you want help getting 2FA set up so it protects you without becoming a daily headache, that's a common request for us.

If you can't log in at all

If the hacker already changed your password — or swapped the recovery email and phone so you're fully locked out — you can't do the steps above directly, and you have to go through your provider's account-recovery process instead. Google's is at the standard "Forgot password" / account-recovery flow at accounts.google.com; Microsoft's recovery form is reached from account.live.com; Yahoo, Apple, and the rest each have their own. These forms ask questions only the real owner should be able to answer (old passwords, contacts, account creation details, devices you've used).

Two things make recovery far more likely to succeed: do it from a device, browser, and location you've used with that account before — the system trusts familiar context — and be patient, because it can take more than one attempt and a "try another way" route or two. Once you're back in, immediately run every step above (scan, new password, sign out everywhere, kill forwarding rules and filters, fix recovery info, turn on 2FA), because getting back in is only half the job.

Step 6: Now protect everything your email unlocks

Because your inbox is the reset key for your other accounts, assume the attacker may have used it to poke at them. Start with the highest-stakes ones — your bank and any cards, then anything that stores money or a card on file (Amazon, PayPal, app stores) — and your Apple or Google account. For each, change the password (again, unique per account), turn on 2FA, and check recent activity and any saved shipping addresses or payment methods for changes you didn't make. Skim your inbox and Trash for "your password was changed" or "welcome" emails from services you didn't touch — those are signs the hacker got into something downstream, and a heads-up about where to look first.

Keep an eye on bank and card statements over the next few weeks, and if you reused that email's password anywhere else, change it there too — reused passwords are exactly how one breach becomes five. This is also the moment a password manager pays off: it lets every account have its own strong password without you memorizing any of them, so the next time one service is breached, the damage stops at that one account.

Step 7: Tell your contacts

Finally, give your friends, family, and coworkers a quick heads-up — by text, a call, or from a different account — that your email was compromised and that any odd message, link, or money request "from you" in the last little while should be ignored. Hackers use a hijacked inbox to phish the people who trust you most, often with a believable "I'm stuck and need help" note, so a thirty-second warning can stop someone you care about from getting scammed in turn. It's the same playbook as the scam texts and AI voice-clone calls we've written about: the trust attached to a familiar name is the whole point.

When to get help

You can do all of this yourself, and most people can. But if you're locked out and the recovery form keeps failing, if the forwarding rules or filters won't stay deleted (a sign the device itself may still be infected), if money has already moved, or if you simply don't want to face a high-stakes cleanup alone, that's exactly the kind of call we like. We'll check the computer for the malware that may have caused it, walk through provider recovery with you, hunt down every back door the attacker left, lock the account with 2FA that won't lock you out, and help you secure the bank and shopping accounts your email protects.

We help homes and small businesses across Southern California and the Coachella Valley, in person or by remote support, and we don't rush or talk over you — especially helpful if this happened to a parent or grandparent who feels overwhelmed. The goal is simple: get the intruder out, keep them out, and leave you set up so it's far less likely to happen again.