Hacked Email Account: How to Protect Yourself
Home Help Center Hacked Email Account: How to Protect Yourself

A hacked email account means someone has gained unauthorized access to your inbox without your permission. Because your email is the recovery address and notification hub for your bank accounts, financial platforms, social media, and other online services, a single compromised inbox can give a bad actor the keys to your entire digital life. Immediate action limits the damage.
What you do first depends on one critical variable: whether you still have access to your account or have been locked out. This guide covers both scenarios, then walks through the downstream identity risks a hacked email can create and the steps you can take to reduce your exposure going forward.
The Identity Theft Resource Center has supported victims of identity theft, fraud, and account compromise for more than 25 years at no cost. If you need personalized guidance at any point, call 888.400.5530 to chat with an expert advisor.
Why a Hacked Email Account Is a Gateway to Identity Theft
Most people think of a hacked email as an inconvenience. The more accurate way to think about it is as a master key. Your email address is the recovery method and notification channel for nearly every account you own. Financial institutions, government platforms, social media, and subscription services all send sensitive communications to your inbox and use it to confirm your identity when you need to reset a password.
A bad actor who gains access to your inbox can do more than read your messages. They can reset passwords on your bank and investment accounts before you realize anything is wrong. They can intercept two-factor authentication codes sent via email, which are specifically designed to keep bad actors out. They can scan years of archived correspondence for account numbers, Social Security numbers, tax documents, and other sensitive information. They can use your address to send phishing messages to your contacts, who are more likely to trust a message from someone they know.
The scale of this threat is growing. According to the ITRC’s 2026 Trends in Identity Report, unauthorized device access increased 78 percent year-over-year and has now surpassed scams as the primary threat for adults aged 35 to 64. Email account takeover is a direct downstream consequence: when a device is compromised, stored email credentials are among the first things extracted. A hacked email account is not always a standalone incident. It is often a symptom of a broader compromise.
Understanding the stakes is the foundation for the steps that follow. What you do first depends on whether you can still log in.
How To Tell If Your Email Has Been Hacked
Not every compromise announces itself with a locked account. Many victims notice smaller, easier-to-dismiss signals first. If any of the following sound familiar, treat them as a reason to act rather than wait.
Account access signals
- You are unexpectedly logged out and your usual password no longer works.
- Your recovery email address or phone number has been changed without your action.
- You receive a notification that your account was accessed from an unfamiliar location or device.
- Security settings you did not change have been altered.
Inbox and sent folder signals
- Emails appear in your sent folder that you did not write.
- Contacts tell you they received strange messages, requests, or links from your address.
- Emails are missing, deleted, or marked as read when you have not opened them.
- You receive password reset emails for accounts you did not request a reset for.
External signals
- You receive an alert from Have I Been Pwned or another breach notification service indicating your email address appeared in a data breach.
- You begin receiving an unusual spike in spam, which can indicate your address has been exposed or is actively being used by someone else.
One important distinction: receiving strange messages that appear to come from your address does not always mean your account was hacked. It may mean your address is being spoofed, meaning someone is using your address as a disguised sender without ever accessing your actual account. The fastest way to tell the difference is to check your sent folder. If the messages are not there and you can still log in normally, spoofing is more likely than a direct account compromise. If you are not sure which situation you are dealing with, the ITRC can help you assess it.
How To Recover a Hacked Email Account
Recovery looks different depending on whether you can still get into your account. Start with the scenario that matches your situation.
Scenario A: You still have access to your account
- Replace your password with a passkey. The major email providers – Google, Apple, Microsoft, Yahoo! – all offer passkeys as a way to protect your email accounts. Passkeys can’t be compromised in a phishing attack or stolen in a data breach, making them the most secure way to protect your account.
- Change your password. If your email provider does not offer passkey protection, update your password to a strong, unique password you have not used on any other account. A passphrase of 12 or more characters combining letters, numbers, and symbols is significantly more resistant to brute-force attacks than a shorter password. Do not reuse a variation of a previous password.
- Update your recovery options. Review your recovery email address and recovery phone number to confirm they are still yours. If a bad actor changed them, change them back before doing anything else. These are the fields that control who can reset your password.
- Enable multifactor authentication. If you haven’t created a passkey, turn on MFA if you have not already. An authenticator app such as Google Authenticator or Authy is more secure than SMS-based MFA, which can be intercepted through SIM swapping. App-based MFA generates a code locally on your device rather than sending it over the cellular network.
- Review and remove unauthorized sessions and devices. Most email providers allow you to see a list of active sessions or recently connected devices. Sign out of any you do not recognize. This step ends any ongoing unauthorized access even if the bad actor still has your old password.
- Check for forwarding rules and filters you did not create. A common tactic is to set up a silent mail forwarding rule that sends copies of your incoming messages to an address the bad actor controls. Go into your email settings and delete any forwarding rules or inbox filters you did not create. This step is often missed and can allow surveillance to continue even after you change your password.
- Notify your contacts. Let the people in your address book know your account was compromised and ask them to disregard any recent messages that asked them to click a link, share personal information, or download a file. A brief heads-up can prevent others from becoming victims.
Scenario B: You have been locked out of your account
- Use your email provider’s account recovery tool. Google, Apple, Microsoft/Outlook, and Yahoo! each have account recovery processes that allow you to verify your identity using a recovery phone number, backup email address, or account activity history. Start there before contacting support directly.
- If standard recovery fails, contact your provider. If automated recovery does not work, reach out to your email provider’s support team. The process will require identity verification. Document every step and every communication you receive, as this record may be needed if the situation escalates.
- Once you regain access, complete all steps from Scenario A. Recovering your password is only the first step. Every security setting, forwarding rule, and recovery option needs to be reviewed and reset before the account can be considered secure.
- Consider whether to close the account. If your account was significantly compromised and you are not confident it is fully secured, closing it and creating a new address may be the right call. If you take that step, update your email address with every financial institution, government account, employer, and online service that uses it. This is time-intensive but important, as your email is the notification address for accounts you may not think of immediately.
If the recovery process feels overwhelming or you are not sure where to start, contact the ITRC. An advisor can walk you through the steps at no cost to you.
The Identity Risks That Follow a Hacked Email Account
Recovering access to your inbox is a critical first step. It is not the last one. A hacked email account often sets off a chain of downstream identity risks that require attention even after you have regained control. Here is what to watch for and what to do.
Password Resets on Connected Accounts
If a bad actor had access to your inbox, they may have already used it to reset passwords on your financial accounts, investment platforms, social media, or other services. Review the recent activity on every account that uses your email address as a login, starting with financial institutions. If you see activity you do not recognize, contact that institution directly.
New Account Fraud
Your email address is required to open most online accounts. A bad actor who controlled your inbox could have used it to verify new accounts opened in your name. Check your credit reports for accounts you do not recognize and consider placing a credit freeze at the three major credit bureaus: Equifax, Experian, and TransUnion. A credit freeze goes further by blocking new credit inquiries entirely until you lift it.
Targeted Phishing Against your Contacts
Your address book is a valuable asset to a bad actor. Messages from a known sender get opened. If you have not already notified your contacts, do so now. Let them know that any message from your account asking them to click a link, share information, or help with an unusual request should be treated with suspicion until you confirm you sent it.
Sensitive Information Already in your Inbox
Think about what has come through your email over time: bank statements, tax documents, benefit correspondence, account confirmation emails, medical communications. If a bad actor had time in your inbox, assume any of that information may now be in their hands. This does not mean every piece of information will be misused, but it is worth taking stock of what was potentially accessible when deciding which follow-up steps to prioritize.
The ITRC can help you assess what information may have been exposed and determine which protective steps are most relevant to your situation.
How To Help Protect Your Email Account Going Forward
Recovering a hacked account addresses what already happened. These habits reduce the risk of it happening again.
Replace your password with a passkey. The major email providers – Google, Apple, Microsoft, Yahoo! – all offer passkeys as a way to protect your email accounts. Passkeys can’t be compromised in a phishing attack or stolen in a data breach, making them the most secure way to protect your account.
Change your password. If your email provider does not offer passkey protection, update your password to a strong, unique password you have not used on any other account. A passphrase of 12 or more characters combining letters, numbers, and symbols is significantly more resistant to brute-force attacks than a shorter password. Do not reuse a variation of a previous password.
Enable multitwo-factor authentication. If you haven’t created a passkey, Turn on MFA if you have not already. An authenticator app such as Google Authenticator or Authy is more secure than SMS-based MFA, which can be intercepted through SIM swapping. App-based MFA generates a code locally on your device rather than sending it over the cellular network.
Keep your recovery options current. Review your recovery phone number and backup email address at least once a year. Outdated recovery information can prevent you from regaining your own account after a compromise, effectively locking you out while the bad actor retains access.
Be cautious with links in email, even from people you know. Phishing remains the most common way email credentials are stolen. If you receive an unexpected message asking you to log in somewhere, click a link, or share personal information, verify directly with the sender before taking any action. A message from a trusted contact’s address does not mean that contact wrote it.
Check whether your email address has been exposed in a breach. Breach notification services let you search your email address against known data breaches to see if your credentials have been publicly exposed. The ITRC’s partner Have I Been Pwned allows you to search across multiple breaches at no cost. If your address appears in a breach, change your password for that account and any account where you used the same credentials.
Keep your devices updated and avoid unsecured public Wi-Fi. According to the ITRC’s 2026 Trends in Identity Report, unauthorized device access has surpassed scams as the leading identity compromise method for adults aged 35 to 64. Keeping your phone, computer, and tablet updated closes known security vulnerabilities. Avoiding unprotected public networks reduces the risk that your email credentials will be captured at the device level before they ever reach your inbox.
Seek Help from the ITRC
A hacked email account is disorienting because the damage is not always visible right away. The real risk is not just losing access to your inbox. It is the chain of downstream fraud and identity misuse that a single compromised account can set in motion.
Whether you are in the middle of recovering your account or trying to understand whether something is wrong, the ITRC is here. Call 888.400.5530 for free, confidential support from expert advisors who can help you assess your situation and build a recovery plan.
Frequently Asked Questions About Hacked Email Accounts
What does it mean if your email account has been hacked?
A hacked email account means someone has gained unauthorized access to your inbox without your permission. Because your email is used as the recovery address and notification hub for financial accounts, social media, and other online services, a compromised inbox can expose your broader digital identity to fraud, new account openings, and account takeover.
How can I tell if my email account was hacked?
Common signs include emails in your sent folder that you did not write, contacts reporting strange messages or links from your address, password reset emails for accounts you did not request, changes to your recovery options you did not make, and notifications of login attempts from unfamiliar locations or devices.
What should I do first if my email account is hacked?
If you still have access, change your password immediately, update your recovery options, and enable two-factor authentication. If you are locked out, use your email provider’s account recovery tool. In either case, contact the Identity Theft Resource Center at 888.400.5530 free guidance and a personalized recovery plan.
Can a hacked email account lead to identity theft?
Yes. A hacked email account is one of the most direct pathways to broader identity theft because email is used to verify identity and reset passwords across financial institutions, government platforms, and online services. A bad actor with access to your inbox can open new accounts in your name, redirect funds, or gather sensitive personal information from past correspondence.
What is the difference between a hacked email and a spoofed email?
A hacked email means someone has accessed your actual account. A spoofed email means someone is sending messages that appear to come from your address without accessing your account. If contacts report receiving strange messages from you but your sent folder is empty and you can still log in, your address is likely being spoofed rather than your account being hacked.
How can I prevent my email account from being hacked?
Replace your password with a passkey. The major email providers – Google, Apple, Microsoft, Yahoo! – all offer passkeys as a way to protect your email accounts. Passkeys can’t be compromised in a phishing attack or stolen in a data breach, making them the most secure way to protect your account.
If your email provider does not offer passkey protection, update your password to a strong, unique password you have not used on any other account. A passphrase of 12 or more characters combining letters, numbers, and symbols is significantly more resistant to brute-force attacks than a shorter password. Do not reuse a variation of a previous password.
Finally, turn on MFA if you have not already. An authenticator app such as Google Authenticator or Authy is more secure than SMS-based MFA, which can be intercepted through SIM swapping. App-based MFA generates a code locally on your device rather than sending it over the cellular network.
How much information are you putting out there? It’s probably too much. To help you stop sharing Too Much Information, sign up for the In the Loop.