Email is a reset channel for the rest of a digital life. After takeover, restoring the password is only the opening move; the attacker may have added forwarding, app passwords, recovery details, or trusted sessions.
Recover the mailbox, remove persistence, protect downstream accounts, and preserve a timeline before the attacker can reset more services. Work from a device you trust. Recover the mailbox through the provider, remove persistence, then protect accounts that use the address for password resets.
Use another trusted channel to tell a close contact what happened, and prepare a clean device. Do not conduct recovery through links in the compromised mailbox.
Recover from a device you trust
Use the provider’s official recovery page from a clean device. Use the provider’s official recovery page from a trusted device. Avoid performing recovery on a computer that may contain malware or an unknown extension.
Look beyond the changed password
Change the password and revoke unfamiliar sessions
Change the password and revoke unfamiliar sessions, app passwords, and trusted devices. Confirm the attacker did not replace recovery email or phone.
Remove forwarding rules, filters, app passwords, and connected apps
Inspect inbox rules, forwarding, delegates, sent mail, and trash. Hidden forwarding can continue leaking password resets after access appears restored.
Secure financial, cloud, and social accounts tied to the mailbox
Secure banking, cloud storage, social media, and password managers tied to the mailbox. Start with accounts that can move money or reset others.
Tell close contacts to ignore suspicious recent messages
Warn close contacts about recent suspicious messages and preserve headers or notices. Evidence helps explain downstream fraud without keeping the attacker’s access alive.
Search the mailbox for password-reset and security-notice messages from the incident window. That list reveals which other accounts the attacker attempted to reach and helps prioritize the next password changes.
Protect accounts downstream of email
- Do not negotiate with the attacker.
- Do not reuse the emergency password elsewhere.
- Do not delete evidence before saving dates and notices.
Contact financial institutions and identity-theft resources quickly if the mailbox contains unauthorized reset notices, tax records, credit alerts, or payment changes.
Preserve evidence before cleaning up
Check current menu names, limits, and recovery language against “Email or social media hacked? Here’s what to do” and “Respond to security alerts” before acting; platform behavior can change after publication, and each source should be used only for the claim it actually supports.
The FTC recommends changing the password, signing out other devices, enabling two-factor authentication, and checking recovery information after an email or social account is hacked.
Google security guidance directs users to review account activity and respond to unfamiliar events.
Sources & methodology2 sources - evidence for this revision
The records below show what each source supports in this published revision.
- How To Recover Your Hacked Email or Social Media AccountFederal Trade Commissionreference - Retrieved Jul 12, 2026
What it supportsThe FTC recommends changing the password, signing out other devices, enabling two-factor authentication, and checking recovery information after an email or social account is hacked.
- Respond to security alertsGoogle Account Helpreference - Retrieved Jul 12, 2026
What it supportsGoogle security guidance directs users to review account activity and respond to unfamiliar events.



