How to Tell If Your Email Has Been Hacked

Last updated: May 2026

If you believe your email has been hacked, stop and change your password immediately. Not after this article. Not in five minutes. Do it first, then come back. We will still be here. For the recovery checklist, jump to the action steps below.

Email security is something I take seriously because it is the reset key for almost every online account you have. If someone else has access to it, they do not need to rush or make noise. They can quietly watch incoming messages, reset passwords elsewhere, and lock you out later.

In over two decades working in IT, I have helped multiple people recover hacked email accounts. The pattern is almost always the same. Small signs get ignored, one account gets compromised, and then the damage spreads to bank accounts, shopping profiles, and social media. The good news is that catching it early, even minutes after the first warning sign, often stops the attack in its tracks.

In this guide, I will walk through the clear signs to tell if your email has been hacked, how attackers usually get access, exactly how to check whether your email has been exposed, and what to do about it.

How to Confirm a Hacked Email in Under 2 Minutes

Your email may be hacked if you notice key warning signs like being unable to log in, receiving password reset emails you did not request, seeing login alerts from unfamiliar devices or locations, finding messages in your Sent folder that you did not write, or discovering forwarding rules and recovery settings you did not create.

You can quickly confirm this in under two minutes by checking your recent login activity, reviewing your Sent folder, and inspecting your forwarding rules, filters, and recovery options for anything unfamiliar.

If you suspect a compromise, act immediately. Change your password from a trusted device, enable two-factor authentication, sign out of all active sessions, and review connected apps and account settings to remove anything you do not recognize.

10 Warning Signs Your Email Has Been Hacked

Most email compromises are discovered through small clues, not obvious takeovers. Some of these signs are unmistakable on their own. Others are more subtle and matter most when you see them together. Either way, take any warning sign seriously and investigate. Watch for these red flags:

You can’t log in with your normal password
If your usual password suddenly stops working and you did not change it, someone else probably did. This is the most obvious sign of a full account takeover. Attackers often change the password as soon as they get in to lock you out while they work through your inbox.
Password reset emails you did not request
If you are getting password reset emails from sites you did not try to log into, someone is testing your email to see what other accounts you have. This usually means an attacker already has access to your inbox and is using it as a springboard to take over your other accounts.
Login alerts from unfamiliar devices or locations
Security alerts showing logins from a city, country, or device you do not recognize are a strong indicator of compromise. Occasional false positives happen, especially when you travel or use a VPN, but repeated alerts or alerts from far-away locations should never be ignored.
Emails in your Sent folder you did not write
One of the clearest signs of a hacked account is finding messages in your Sent folder that you did not send. Attackers use hijacked accounts to send phishing emails to your contacts because messages from a known address are more trusted. Be aware that careful attackers delete these after sending, so an empty Sent folder is not proof you are safe.
Messages marked as read or deleted that you never opened
If emails you were expecting have disappeared or show as read before you saw them, someone else may be reading and managing your inbox. This is especially concerning if password reset or bank alert emails are the ones going missing.
New forwarding rules, filters, or recovery settings you did not create
This is one of the most common things I personally have seen. Attackers often set rules that automatically move incoming messages to the Deleted folder so you do not start receiving replies from people asking whether a suspicious email you sent is legitimate. They also want to prevent you from seeing a barrage of auto-replies, since those responses can quickly alert you that your account is being used to send bad emails to your contacts. Always check your forwarding rules, filters, and recovery email address for anything you did not set up yourself.
Contacts reporting strange messages from you
If friends, family, or coworkers ask whether you really sent a weird link or an out-of-character message, take it seriously. Attackers commonly use hijacked accounts to phish people in your contact list. Your contacts are often the first to notice a compromise before you do.
Two-factor authentication prompts you did not trigger
If you get a 2FA push notification or code when you are not trying to log in, someone else has your password and is actively trying to get past your second layer of defense. Never approve a 2FA prompt you did not initiate. Repeated prompts can also be a “push fatigue” attack where the attacker hopes you will approve one out of frustration. If you are not already using it, read Two-Factor Authentication 101 to understand how to properly secure your accounts.
Unfamiliar apps or services connected to your account
Most major email providers let you see a list of third-party apps and services that have access to your account. If you see apps or services you did not authorize, an attacker may have given themselves persistent access so they can keep reading your mail even after you change your password. Revoke anything you do not recognize.
Your device is suddenly slow or acting strangely
If your computer or phone has become noticeably sluggish, crashes more often, or your browser redirects you to unexpected sites, malware may be on the device. Keyloggers and info-stealers are common ways credentials get stolen in the first place. If your email was hacked and you are not sure how, your device itself may be the source of the leak.

Even a single warning sign is worth taking seriously. Changing your password takes a few minutes, but using a strong one matters just as much. If you are unsure what a secure password looks like, read Password Security 101. Recovering a fully hijacked account can take days, and the damage to your connected accounts can take weeks to unwind. If something feels off, trust that instinct and move on to the next steps.

Stop a Hack Before It Happens

The best time to secure your email is before anything goes wrong. Two-factor authentication is the single most effective step you can take to keep your account out of an attacker’s hands, even if your password gets stolen. It takes about five minutes to set up and blocks the vast majority of email takeovers.

Is Your Email Actually Hacked, or Just Acting Weird?

When you notice something strange, the biggest thing to remember is not to panic. Over the years, I have lost count of how many times I saw an odd login alert or a strange log entry and thought, “Okay, this is it, this is the big one.” Almost every time, it turned out to be something thankfully pretty boring. A phone that reconnected on a different network. Someone logging into a shared account from a new device. An email client syncing from a backup app I had forgotten about. Panic makes you skip steps and miss obvious explanations, so take a breath before you assume the worst.

Before you dive into recovery mode, run through this quick check.

Ask yourself:

Did I recently log in from a new device, airport, hotel, or new phone?
Did I install a new email app or connect my email to a new service?
Was I traveling when that “unusual login” notification came in?
Have I been sharing my account with a family member who logged in somewhere new?
Did I recently use a VPN, which can make logins appear from a different city or country?

If the answer to any of these is yes, the alert is probably legitimate activity. If none of these fit, or you are seeing multiple warning signs stacking up, take it seriously and move on to the next steps.

One strange email can be a coincidence. But add to that a new forwarding rule or a login from another country, and now you have a pattern. Your job is to tell the two apart calmly.

How Attackers Usually Get Access

Email accounts are rarely hacked through brute force. In most cases, access is handed over without the victim realizing it.

Common ways this happens:

Phishing emails that look like shipping notices, invoices, or security alerts
Fake login pages that closely resemble your email provider
Malware on a device that captures saved credentials
Public Wi-Fi attacks that intercept login credentials, or attacks on an unsecured home Wi-Fi network
Reused passwords exposed in data breaches, fed into credential stuffing attacks

One of the simplest ways to reduce your exposure on unsecured or public networks is to use a VPN to encrypt your connection before logging into sensitive accounts.

Many email compromises start with phishing messages that look completely legitimate. Test your ability to spot bad emails with the 6-question quiz located in the article, How to Spot Scam Emails.

What a Hacker Can Actually Do With Your Email

Understanding what is at stake helps explain why acting fast matters.

Once someone has access to your email, they can:

Reset passwords on your bank, shopping, and social media accounts
Read years of old messages for personal information, account numbers, and answers to security questions
Send phishing emails to your contacts while pretending to be you
Set up hidden forwarding rules so they keep seeing your mail even after you change the password
Lock you out by changing the recovery email and phone number
Sell access to your account on criminal forums so someone else can use it later

The scariest part is how quiet this can be. Many email compromises go undetected for weeks because a careful attacker does not want to tip you off. They just want to read, wait, and strike when the timing is right.

How to Check If Your Email Was Exposed in a Data Breach

One of the easiest ways to assess risk is to check whether your email address has appeared in known data breaches. This does not mean your email has been hacked, but it does indicate your address and possibly a password were exposed somewhere online.

Have I Been Pwned

Have I Been Pwned is a widely trusted breach notification site used by security professionals, companies, and governments.

How to use it:

Go to the site
Enter your email address
Review any breaches listed

Why this matters:

It shows which services were breached and when
It helps identify password reuse risk
It does not require you to enter a password

If your email appears in multiple breaches and you reused passwords, your email account is at higher risk even if nothing looks wrong yet.

Google’s built-in Dark Web Report

If you have a Google email address, you can also use Google’s built-in Dark Web Report to monitor for data breaches.

If you use a non-Google email address, such as Outlook.com, you can still use this feature by adding and verifying that email in your Google account, but the experience is more limited.

This is especially useful if your email is tied to a large number of online accounts.

Why You Should Test Your Email Even If Nothing Seems Wrong

Most compromised accounts show no obvious symptoms at first. Attackers often wait before taking action, especially if the email can be used to reset other accounts.

Checking your email against breach databases helps you:

Understand your exposure history
Decide whether a password change is urgent
Prioritize securing high-risk accounts

Even if no breaches are found, confirming that gives peace of mind.

What To Do If Your Email Has Been Hacked

If you have not already changed your password, do that first. Then work through this checklist:

Immediate actions to secure account:

what to do

Change your email password to something completely new and unique
Enable two-factor authentication if it is not already on
Log out of all active sessions in your email provider’s security settings
Review and remove any third-party apps or services connected to your email account that you do not recognize

Within the next hour:

Review recent login activity if your provider shows it
Check recovery email addresses and phone numbers for unauthorized changes
Look for unfamiliar forwarding rules or filters in your email settings
Review and change passwords on your most important accounts (banking, shopping, social media)
Scan your primary device for malware using Windows Defender, Malwarebytes, or your device’s built-in security tools
If your email provider supports it, enable login and security alerts so you are notified immediately of new sign-ins or account changes
If suspicious emails were sent, let your contacts know your email has been hacked so they do not interact with any recent messages
Contact your email provider through their official support or account recovery process to report the compromise
After changing your password, take a moment to review and update your security questions

Do not skip the recovery options. Attackers often change those first so they can regain access even after you secure your account.

What Not To Do If Your Email Is Hacked

Do not keep using the same password after regaining access
Do not approve two-factor authentication prompts you did not start
Do not click recovery links from emails unless you are sure they came from the provider
Do not assume changing the password is enough without checking forwarding rules, filters, recovery options, and connected apps
Do not delete the email account unless you are sure it is no longer tied to important logins

What If You Are Locked Out Completely

If your email has been hacked and the attacker changed your password so you cannot get back in, you need to quickly follow these steps.

Immediate steps:

Use your email provider’s account recovery process right away
Have your phone ready for verification codes
Prepare backup email addresses or security questions
Contact your email provider’s support directly if automated recovery fails

While locked out:

Change passwords on your most critical accounts, even if they do not use your email address for login, prioritizing banks, credit cards, investment accounts, and other financial services
Enable login alerts on financial accounts
Monitor your bank and credit card statements closely
Consider placing a fraud alert on your credit report if the compromise seems serious

Time matters here. Most providers give you a window to recover your account before permanent changes take effect.

How to Check Your Email for Hacker Activity (Step by Step)

The major email providers all give you the tools to investigate. Here is where to look.

Gmail

Scroll to the bottom of your Gmail inbox on a computer and click “Details” to see recent activity, including IP addresses and device types
Go to myaccount.google.com/security and review “Your devices” and “Recent security activity”
Check Settings > Forwarding and POP/IMAP for unknown forwarding addresses
Check Settings > Filters and Blocked Addresses for rules you did not create

Outlook (formerly Hotmail)

Go to account.microsoft.com and select “Security” then “Sign-in activity”
In Outlook webmail, go to Settings > Mail > Forwarding and Rules to check for unauthorized entries
Review “Recent activity” for unfamiliar locations or devices

Yahoo Mail

Go to login.yahoo.com/account/activity to see recent sign-in activity
In Yahoo Mail settings, check “Filters” and “Vacation response” for unfamiliar rules
Confirm your recovery phone number and email address have not been changed

If you see anything unfamiliar in any of these areas, treat your account as compromised and work through the recovery checklist above.

Lock It Down So It Does Not Happen Again

Once you regain control, focus on preventing a repeat.

Core security steps:

Enable two-factor authentication on your email account
Use a unique password that is not used anywhere else
Store passwords in a reputable password manager
Review and remove unused third-party app connections in your account settings
Set up login alerts so you know immediately if someone else tries to access your account

Build better habits:

Be cautious with urgent or threatening emails
Verify sender addresses before clicking links
Never enter your password on a page you reached by clicking a link in an email
Keep your devices updated and run regular security scans

If you only take one step from this list, make it two-factor authentication. It adds a critical layer of protection even if your password is compromised.

For a full breakdown of how two-factor authentication works and why it matters, read Two-Factor Authentication 101: Your Second Line of Defense.

Using a password manager makes it much easier to use strong, unique passwords without having to remember them all. For a clear explanation of how they work and why they matter, read Password Managers 101: What They Are and How They Work.

Why Email Is the Master Key to Your Online Life

Email controls password resets for:

Banks and credit cards
Social media accounts
Shopping sites and retail accounts
Cloud storage and subscriptions
Work accounts and professional services
Medical portals and insurance accounts

If your email has been hacked successfully, they can quietly expand access elsewhere without touching those accounts directly. They reset passwords, intercept verification codes, and move through your digital life methodically.

This is why email security is not just about protecting your inbox. It is about protecting everything connected to it.

When to Take This Further

You should escalate if you notice:

Financial alerts or unauthorized purchases you did not make
Multiple accounts locked or compromised beyond just email
Continued login attempts after securing your account
Identity theft warning signs like new credit inquiries or accounts in your name, which is when you should freeze your credit at all three major bureaus (plus the 4th everyone forgets)
Threats, blackmail, or harassment using information from your email

For financial issues, contact your bank and credit card companies immediately.

If your email compromise leads to identity theft signs, you may need to take additional protective steps. For a practical starting point, see Identity Theft 101: Identity Protection Starter Guide.

For ongoing harassment or threats, document everything and consider contacting local law enforcement.

Final Thoughts

Discovering your email has been hacked is unsettling, but it is rarely unfixable. In my experience, people who catch it in the first hour usually recover with nothing worse than an inconvenience. People who wait days find themselves unwinding bank fraud and locked social media accounts.

If you are dealing with a compromise right now, the priorities are simple. Change your email password from a device you trust, turn on two-factor authentication, and work through the action steps in this guide to lock out the attacker and check for anything they left behind. Time matters more than perfection here. Get the account secured first, then circle back to clean up recovery options and connected apps. Read Password Security 101 if you need help creating a strong password.

If you are not actively compromised but you landed here because you want to stay ahead of this, focus on prevention. Enable two-factor authentication on your email today if you have not already. Run your address through Have I Been Pwned to see your breach history. Start using a password manager so you are not reusing passwords across accounts. These three steps prevent the vast majority of email takeovers before they ever happen.

Your email is the single most important account you own online. Everything else, from banking to shopping to work to social media, resets through it. Treat it like the master key it is.

If you found this helpful, the best next step is to strengthen the account before something goes wrong. The guide Two-Factor Authentication 101 walks through exactly how to set up the extra layer of protection that stops most email attacks cold.

Explore more Online Security guides for related tips, tools, and reviews.

Hacked Email FAQ

What are the signs that my email has been hacked?

The most common signs your email has been hacked include:

You cannot log in with your normal password
Password reset emails you did not request
Login alerts from unfamiliar devices or locations
Emails in your Sent folder you did not write
Messages marked as read or deleted that you never opened
New forwarding rules, filters, or recovery settings you did not create
Contacts reporting strange messages from you
Two-factor authentication prompts you did not trigger
Unfamiliar apps or services connected to your account
Your device is suddenly slow or acting strangely

Any single sign is worth investigating. Two or more happening together could mean a compromise.

What is the first thing I should do if my email is hacked?

Change your password immediately from a device you trust, ideally one that has not been used to check the compromised email recently. After that, enable two-factor authentication, sign out of all active sessions, and review your account recovery settings for anything unfamiliar.

Can a hacker still access my email after I change my password?

Yes, in two situations. First, if they set up a forwarding rule before you changed the password, they may still be receiving copies of your mail. Second, if they have an active session token on another device, that session may stay logged in until you use the “sign out of all devices” option in your account settings. Always do both after a compromise.

How did my email get hacked in the first place?

The most common causes are reused passwords exposed in other websites’ data breaches, phishing emails that tricked you into entering your password on a fake login page, malware on a device that captured your saved credentials, and logging in on public or shared Wi-Fi without a VPN. Brute-force password guessing is rare because modern providers block it.

Should I delete my email account if it was hacked?

In most cases, no. Deleting the account can cause more problems than it solves since your email is tied to your other logins, subscriptions, and recovery options. Securing the account with a new password, two-factor authentication, and a clean settings review is almost always the better choice. Only consider deletion if the account is a throwaway you no longer use.

Can someone hack my email if they only have my email address?

No. Your email address alone is not enough to break into your account. However, it is the starting point for attackers. With just your address, they can check whether it appears in data breaches, send phishing messages targeted specifically at you, and try passwords they have stolen from other breaches to see if you reused them.

How long does it take to recover a hacked email account?

If you still have access, recovery takes about 10 to 15 minutes. If you are fully locked out, the provider’s recovery process usually takes anywhere from a few hours to several days, depending on how much identity verification they require. Gmail, Outlook, and Yahoo all have automated recovery flows that start within minutes if you have a recovery phone or backup email still under your control.

A hacked email account can quickly turn into stolen accounts, identity theft, or financial scams if it goes unnoticed. If this guide helped you spot the warning signs, share it with someone who should check their inbox security too.

Michael Kendrick

Director of IT and former Certified Registered Locksmith with 27 years in technology and cybersecurity. Practical, everyday guidance to help you protect everything from the locks on your doors to the logins on your accounts.