How to Check If Your Email Was Hacked and What to Do About It

Email account compromise is one of the most common cybersecurity incidents. A hacked email account gives attackers access to every service you have registered with that address — social media, banking, shopping, and more. Knowing how to detect a breach quickly and respond effectively can significantly limit the damage.

Signs Your Email Account Has Been Hacked

1. Unusual Login Activity

Most email providers show recent login history. Check it:

• Gmail: Google Account > Security > Recent security activity
• Outlook: Account > Security > Sign-in activity
• Yahoo: Account Security > Recent activity

Look for logins from unfamiliar IP addresses, countries, or devices you do not recognize. A login from a country you have never visited at 3 AM is a clear red flag.

2. Emails You Did Not Send

Check your Sent folder for emails you did not write. Attackers often use compromised accounts to send spam or phishing emails to your contacts. If friends or colleagues report receiving strange emails from you, your account is likely compromised.

3. Missing or Deleted Emails

If emails you know you received have disappeared, or if your inbox organization looks different, someone may have accessed and manipulated your account.

4. Password Change Notifications You Did Not Initiate

If you receive notifications that your password was changed, recovery information was updated, or a new device was authorized — and you did not make these changes — your account has been accessed by someone else.

5. Locked Out of Your Account

If your password suddenly does not work, an attacker may have changed it to lock you out. This is the most urgent scenario and requires immediate action through account recovery.

6. Spam from Your Contacts

If people in your address book report receiving spam that appears to come from your email address, your account or contact list has been compromised.

7. Forwarding Rules You Did Not Set

A sophisticated attacker will set up automatic forwarding rules to quietly copy all your incoming email to an address they control — without you noticing. Check:

• Gmail: Settings > See all settings > Forwarding and POP/IMAP
• Outlook: Settings > Mail > Forwarding
• Yahoo: Settings > Security > Connected apps and forwarding

Unknown forwarding rules are a serious sign of persistent compromise.

Check If Your Email Appears in Data Breaches

Your email address and associated password may have been exposed in a third-party data breach — a company you used was hacked and user credentials were stolen.

HaveIBeenPwned.com (created by security researcher Troy Hunt) is the most reliable tool for this. Enter your email address and it tells you which data breaches included your address and what data was exposed. This service is legitimate and does not store your search queries.

If your email appears in a breach, change the password for every service where you used the same or similar password immediately.

Immediate Steps If Your Email Has Been Hacked

Step 1: Change Your Password Immediately

Use a strong, unique password — at least 16 characters, mixing letters, numbers, and symbols. A password manager (Bitwarden, 1Password) generates and stores these securely.

If you are locked out, use the account recovery process:

• Google: accounts.google.com/signin/recovery
• Microsoft: account.live.com/password/reset
• Yahoo: login.yahoo.com/forgot

Step 2: Enable Two-Factor Authentication (2FA)

This is the single most important step after regaining access. With 2FA, even if an attacker has your password, they cannot access your account without the second factor (an app-generated code or hardware key).

Use an authenticator app (Google Authenticator, Authy, Microsoft Authenticator) rather than SMS-based 2FA where possible. SMS 2FA is better than nothing but vulnerable to SIM-swapping attacks.

Step 3: Revoke Active Sessions

Sign out all other active sessions:

• Gmail: Security > Your devices > Manage all devices > Sign out other devices
• Outlook: Security > Sign-in activity > Terminate active sessions

This ends any ongoing access by the attacker.

Step 4: Check and Remove Unauthorized Access

• Remove any connected apps you do not recognize
• Delete forwarding rules you did not set
• Review filter rules for any that delete, archive, or forward email
• Check recovery email address and phone number — attackers often change these to maintain access after you change your password

Step 5: Scan for Malware

If your device was compromised through malware (keylogger, RAT), changing your password will not help — it will be captured again. Run a full scan with a reputable antivirus tool (Malwarebytes, Windows Defender) before changing credentials.

Step 6: Notify Your Contacts

Alert people in your address book that your account was compromised and that they should not click links or open attachments from recent emails that appeared to come from you.

Step 7: Secure Connected Accounts

Every account that uses your compromised email for login or password recovery is now at risk. Prioritize:

• Banking and financial accounts
• Social media
• Shopping accounts (Amazon, PayPal)
• Any account with stored payment information

Change passwords and enable 2FA on all important accounts. Use your password manager to ensure each account has a unique password.

Preventing Email Compromise in the Future

Use a strong, unique password: Never reuse passwords across accounts. A password manager makes this practical.

Enable 2FA on your email: This single step prevents the vast majority of account takeover attempts. Even if your password is compromised, an attacker cannot log in without the second factor.

Be suspicious of phishing emails: Most email account compromises begin with the user clicking a phishing link and entering credentials on a fake login page. Verify the URL before entering your password anywhere.

Keep recovery information current: An outdated recovery phone number or secondary email means you may not be able to recover a compromised account.

Use a unique email for high-security accounts: Consider using a dedicated email address (that you do not use for general signups) for banking and financial accounts. This address has a much smaller breach exposure surface.

Monitor HaveIBeenPwned: Set up breach monitoring for your email addresses at HaveIBeenPwned.com — free notifications when your email appears in a new breach.

What Attackers Do with a Compromised Email

Understanding what attackers want helps prioritize your response:

• Account takeover: Use password reset to access your banking, social media, and other accounts
• Spam and phishing: Use your trusted email identity to send malicious emails to your contacts
• Data theft: Read your emails for personal information, financial data, or business secrets
• Credential harvesting: Find credentials you may have sent or received via email
• Ransom: Threaten to expose sensitive emails unless paid

The sooner you detect and respond to a compromise, the less damage can be done across each of these vectors.

Final Thoughts

Email account security is foundational to your entire digital security posture. Because so many accounts can be accessed through email-based password reset, your email is the master key to your digital life. Protect it with a strong unique password and two-factor authentication, and check HaveIBeenPwned periodically to catch breach exposures early.