Cyber Security

What to Do if Your Email is Hacked?

What to Do If Your Email Is Hacked

Email is the “master key” to your digital life. It’s how you reset passwords, approve logins, access banking alerts, and authenticate social media and apps. That’s exactly why attackers target email accounts first: once they control your inbox, they can often take over everything connected to it.

If you suspect your email has been hacked (or you’ve been locked out), don’t panic—move quickly and methodically. This guide walks you through how to confirm suspicious activity, regain control, remove attacker persistence, secure linked accounts, and prevent it happening again.

How to Tell If Your Email Has Been Hacked

Some compromises are obvious (you’re locked out), but many are quiet. Watch for these common red flags.

1) You can’t log in (and your password “suddenly” doesn’t work)

If you’re sure the password is correct and it fails repeatedly, an attacker may have:

2) You see logins you don’t recognise

Most providers show recent sign-ins (time, device, approximate location, IP or network info). For example, Microsoft’s “Recent activity” page highlights sign-in details and gives a “This wasn’t me” path to lock things down.

3) Your contacts get weird emails “from you”

If friends or colleagues report:

4) Your inbox looks “tampered with”

Attackers often hide evidence by:

5) Suspicious settings: forwarding, filters, delegates, signatures

A very common persistence trick is to add auto-forwarding rules or filters so they keep getting your emails even after you change your password. The ACSC specifically warns attackers may use email rules as a “back door.”

6) Your device is suddenly slow or “off”

If your computer becomes sluggish, unstable, or your browser behaves oddly, you may be dealing with malware (including credential-stealing malware). That matters because if the attacker stole your session cookies or passwords from the device, changing your email password alone may not be enough.

Immediate Action Plan (Do This First)

If you only do one thing: act fast and prioritize containment. Here’s the order that works best in real incidents.

Step 1: Use a clean device and safe network

Before you reset anything:

Step 2: Change your email password (and make it truly strong)

Create a long, unique password you’ve never used anywhere else. Best practice:

If your provider flags a password as unsafe/compromised, follow their prompts—Google, for example, recommends changing compromised passwords quickly.

Pro tip: After changing your password, also change it for any other accounts where you used the same (or similar) password. Password reuse is how one breach becomes many takeovers.

Step 3: Sign out of all sessions (kick the attacker out)

Most major email providers allow you to sign out everywhere / revoke sessions. This is critical because attackers may already be logged in.

The ACSC recommends signing out of all other sessions to remove an attacker’s access.

Step 4: Enable Multi-Factor Authentication (MFA)-prefer phishing-resistant options

MFA dramatically reduces account takeover risk. CISA notes MFA is a powerful defense and widely recommended.
The ACSC also calls enabling MFA the most important defense for email accounts.

Best to good options:

1. Security keys (hardware keys) or passkeys (where supported)

2. Authenticator app (TOTP) or number-matching push prompts

3. SMS (better than nothing, but weakest due to SIM-swap risks)

Step 5: Secure your recovery options (or you’ll get re-hacked)

In your account settings:

If an attacker changes recovery info, you can lose the account permanently.

If You’re Locked Out: How to Recover Your Account

If you can’t access the account at all, go straight to your provider’s official recovery process.

Microsoft account recovery

Microsoft provides a dedicated guide for recovering a hacked or compromised account.
Key actions typically include verifying identity, resetting the password, and reviewing security info and sign-in activity.

Google account recovery and security tools

Google encourages users to review account security and recent security events using Security Checkup and related tools.

Important: During recovery, only use official provider pages and avoid “support” phone numbers from random websites. Account recovery scams are common.

Remove Attacker Persistence: Check These Settings Carefully

Even after you reset your password and enable MFA, attackers sometimes maintain access using account settings. Spend 10 minutes doing a full sweep.

1) Forwarding addresses and POP/IMAP access

Look for:

If you don’t need POP/IMAP, disable them.

2) Filters and inbox rules

Review all rules and delete anything suspicious, such as:

This is one of the most overlooked steps in real compromises.

3) Connected apps and third-party access (OAuth tokens)

Attackers often add access via “connected apps”:

4) Delegates, mailbox sharing, and “send as”

Especially in business accounts, check for:

5) Signature and auto-reply messages

Attackers sometimes modify signatures to insert malicious links or a phone number (social engineering). Remove anything you didn’t add.

Scan and Clean Your Devices (Because the Hack Often Starts Here)

If malware stole your password or session tokens, you can get re-compromised quickly.

What to do

If you suspect serious malware

If you’re seeing repeated compromises, unknown admin accounts, or banking activity changes:

Secure Every Account Connected to Your Email

Once your email is compromised, attackers may immediately try to reset passwords for other services.

Prioritize these accounts first

1. Banking and payments (bank logins, PayPal, Apple/Google Pay)

2. Mobile carrier (SIM swap risk)

3.Primary social media (Facebook/Instagram/LinkedIn)

4. Cloud storage (Google Drive, OneDrive, iCloud)

5. Shopping accounts (saved cards, gift cards, points)

6. Work systems (Microsoft 365, Google Workspace, Slack)

What to do for each account

Notify Your Contacts (Without Creating More Risk)

If the attacker emailed people from your account, your contacts may be at risk.

What to send

Avoid sending long explanations or security details that could be used for impersonation. Keep it brief and clear.

Watch for Financial Fraud and Identity Misuse

Depending on what was in your inbox, an attacker may have access to:

Practical monitoring steps

How to Check If Your Email Address Was in a Data Breach

Sometimes your email wasn’t “hacked” directly-your password was leaked in a breach and reused by attackers.

A widely used service is Have I Been Pwned, which lets you check whether your email address appears in known data breaches.

If you find your email in breaches:

Prevention: Make Your Email Account Hard to Hack Again

1) Use a password manager (and stop reusing passwords)

Password managers:

2) Turn on provider security tools and alerts

Many providers offer:

Turn on notifications so you find out quickly if something changes.

3) Prefer phishing-resistant MFA

If your email account supports passkeys or security keys, enable them for your primary email and financial accounts.

4) Harden your browser (a common weak point)

5) Learn the two most common email compromise paths

Most account takeovers start with:

If you remember nothing else: never log in from a link in an email. Navigate manually to the official site.

Business Email Compromise (BEC): Extra Steps for Work Accounts

If this happened on a business email (Microsoft 365 / Google Workspace), treat it as a security incident.

Additional actions

Notify your IT/security team immediately
Review mailbox rules and forwarding (BEC attackers love this)
Check for changes to supplier bank details and invoices
Alert finance teams to watch for payment redirection attempts
Consider forcing sign-out across the tenant and revoking tokens (admin action)

If you work with clients, you may also have notification obligations depending on your location and industry.

These are steps you can take if your email gets hacked. Taking necessary precautions and staying alert are the only ways to minimise the damage caused by hacking. Want to protect your business from the dangers of cyber threats? Contact our specialists or email at cybersecurity@computingaustralia.group. We are 24/7 ready to fix your cybersecurity issues and keep your business protected.

Jargon Buster

Spyware – malicious software that infiltrates your device to observe your activity and steal your sensitive information.

MFA – Multi-factor Authentication – an authentication method that needs the user to provide two or more verification factors to gain access to their data.

Firewall – a network security system that monitors and manages incoming and outgoing network traffic based on a given set of security rules.

Vaikhari A

Let's Talk

FAQ

1) How long does it take to recover a hacked email account?

If you still have access, you can usually secure it in 15–30 minutes (password change, sign out of sessions, MFA, settings review). If you’re locked out, recovery depends on the provider’s verification steps and can take hours to days.

2) I changed my password—why is the hacker still sending emails?

Because they may have persistence set up:

Auto-forwarding to their address
Hidden inbox rules/filters (mark as read, archive, delete security alerts)
A connected third-party app with mailbox access
Fix: remove forwarding/rules and revoke connected apps, then sign out of all sessions.