Last updated: March 15, 2026

Check for email compromise immediately by verifying unfamiliar login locations in account activity logs, reviewing password reset emails you didn’t send, and checking connected apps and recovery email addresses. If compromised, change your password from a different device, enable two-factor authentication, disconnect suspicious sessions, and reset passwords on critical accounts (banking, cryptocurrency, cloud storage). Email compromise is a gateway to your entire digital identity, so treating it as a critical emergency is essential.

Table of Contents

Critical Warning Signs Your Email Has Been Hacked

  1. Unrecognized Login Activity

The most definitive proof of a hack is unfamiliar activity in your account. Check these immediately:

How to check:

  1. Password Changed Without Your Knowledge

If you’re suddenly locked out of your account or receive a password reset notification you didn’t request, this is a major red flag. Hackers often change the password immediately after gaining access to lock you out.

Immediate action - If you can still access your account, change your password NOW. If you’re locked out, use the account recovery options.

  1. Sent Messages You Didn’t Write

Check your Sent folder (and Sent Trash) for emails you didn’t send. Hackers often use compromised accounts to:

How to check - Scroll through your Sent folder and look for messages with suspicious subject lines or recipients you don’t know.

  1. Deleted Emails You Didn’t Remove

Hackers often delete evidence of their intrusion. If you notice missing emails, especially those from password reset notifications or security alerts, someone else may have accessed your account.

  1. Unexpected Password Reset Emails

Receiving multiple password reset emails for various services often indicates that a hacker has access to your email and is attempting to compromise other accounts linked to it.

  1. Strange Settings Changes

Review your email settings for modifications you didn’t make:

  1. Unfamiliar Recovery Options

Check your account recovery settings:

  1. Financial Red Flags

Watch for:

Subtle Signs of Compromise

These clues are easier to miss but still important:

  1. Slow Performance or Unusual Behavior

While not definitive proof, these can indicate compromise:

  1. Contacts Reporting Strange Messages

If friends, family, or colleagues tell you they’ve received odd emails from you, especially with links or attachments, your account may be compromised.

  1. Quota Suddenly Full

Hackers may use your email to send bulk spam, filling your storage quickly. If your normally manageable inbox is suddenly at capacity, investigate.

  1. Unfamiliar Login Alerts

Many email services offer login notifications. If you receive alerts for:

…take them seriously.

What To Do IMMEDIATELY If Your Email Is Hacked

Step 1 - Disconnect All Other Sessions

Gmail:

  1. Go to your Google Account
  2. Select Security
  3. Under “Your devices,” select Manage all devices
  4. Sign out of all unrecognized devices

Outlook:

  1. Go to Settings → Privacy and accounts
  2. Under “Where you’re signed in,” review and remove unfamiliar devices

Step 2 - Change Your Password Immediately

Create a strong, unique password:

Step 3 - Enable Two-Factor Authentication (2FA)

This is critical. Enable 2FA using:

Avoid SMS-based 2FA if possible, SIM swapping attacks can bypass it.

Step 4 - Review and Remove Unknown Devices

Check every device with access:

Step 5 - Scan for Malware

Run scans on all your devices:

Step 6 - Review Email Filters and Forwarding

  1. Check all filters for rules you didn’t create
  2. Remove any forwarding addresses you don’t recognize
  3. Delete any auto-responders you didn’t set up
  4. Verify your signature hasn’t been modified

Step 7 - Check Linked Accounts

Your email is likely linked to:

Immediate action - Change passwords for these accounts, especially if you use the same password.

Step 8 - Alert Your Contacts

Notify people in your contact list that your email was compromised. Warn them not to click any suspicious links from your address during this period.

Step 9 - Check for Identity Theft

Monitor these areas:

Consider placing a credit freeze or fraud alert.

Step 10 - Report the Compromise

Report to:

Prevention: Protecting Your Email Going Forward

Use a Unique, Strong Password

Never reuse passwords across accounts. Use a password manager to generate and store unique passwords.

Enable 2FA on EVERY Account

Prioritize:

  1. Hardware security keys (YubiKey, Google Titan)
  2. Authenticator apps (Authy, Google Authenticator)
  3. Backup codes (printed, stored offline)

Monitor Account Activity Weekly

Make it a habit to:

Use Separate Email for Sensitive Activities

Consider:

Watch for Phishing Attempts

Be skeptical of:

Keep Recovery Options Updated

Regularly verify:

Consider Using a Privacy-Focused Email Provider

Services like Proton Mail offer:

Check Gmail for Hidden Forwarding Rules

Attackers often add silent forwarding rules to copy every incoming email. Use the Gmail API to audit settings programmatically:

Using Gmail API via curl (requires a valid OAuth2 access token)
ACCESS_TOKEN="ya29.your_token_here"

List all active forwarding addresses
curl -s -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "https://gmail.googleapis.com/gmail/v1/users/me/settings/forwardingAddresses" \
  | python3 -m json.tool

List all active filters. look for forward or delete actions
curl -s -H "Authorization: Bearer ${ACCESS_TOKEN}" \
  "https://gmail.googleapis.com/gmail/v1/users/me/settings/filters" \
  | python3 -m json.tool

Or check manually - Gmail Settings → See all settings → Filters tab, then check the Forwarding and POP/IMAP tab.

Quick Reference - How to Check Your Email Provider

Provider Login History Location Security Settings
Gmail Settings → See all settings → Last account activity Security → 2-Step Verification
Outlook Settings → Privacy and accounts → View my activity Settings → Privacy and accounts
Proton Mail Settings → Security → Session management Settings → Security and passwords
Yahoo Security → Recent activity Security → 2-Step Verification
iCloud Mail Mail Settings → Accounts Apple ID → Security

Frequently Asked Questions

How long does it take to tell if your email account was hacked right?

For a straightforward setup, expect 30 minutes to 2 hours depending on your familiarity with the tools involved. Complex configurations with custom requirements may take longer. Having your credentials and environment ready before starting saves significant time.

What are the most common mistakes to avoid?

The most frequent issues are skipping prerequisite steps, using outdated package versions, and not reading error messages carefully. Follow the steps in order, verify each one works before moving on, and check the official documentation if something behaves unexpectedly.

Do I need prior experience to follow this guide?

Basic familiarity with the relevant tools and command line is helpful but not strictly required. Each step is explained with context. If you get stuck, the official documentation for each tool covers fundamentals that may fill in knowledge gaps.

Can I adapt this for a different tech stack?

Yes, the underlying concepts transfer to other stacks, though the specific implementation details will differ. Look for equivalent libraries and patterns in your target stack. The architecture and workflow design remain similar even when the syntax changes.

Where can I get help if I run into issues?

Start with the official documentation for each tool mentioned. Stack Overflow and GitHub Issues are good next steps for specific error messages. Community forums and Discord servers for the relevant tools often have active members who can help with setup problems.

Related Articles