Sun, Jul 12, 2026NY 6:52 PM EDTLA 3:52 PM PDTLON 11:52 PM GMT+1PAR 12:52 AM GMT+2DXB 2:52 AM GMT+4SIN 6:52 AM GMT+8TOK 7:52 AM GMT+9SYD 8:52 AM GMT+10UTC 10:52 PM UTCBTC delayed quote CoinGeckoETH delayed quote CoinGeckoFresh explainers, verified sources, practical next steps
Strangely Useful

Clear, verified help for apps, money, security, AI, and everyday tech problems.

Sections
Start with topic hubsSpot fake supportFix a wrong Cash App paymentLatest storiesTopicsMoney & ChargesSearchInternet & CultureTech & AISecurity & TrustPractical TechnologyMoney & PaymentsBrowser & PrivacyAI ToolsSoftware & ServicesInternet Culture & Everyday WorkflowsHidden HistoryUseful ThingsEntertainmentQuizzesAboutHow we workHow guides are madeNewsletter
Security & Trust - story

The First Hour After an Email Account Takeover

Recover the mailbox, remove persistence, protect downstream accounts, and preserve a timeline before the attacker can reset more services.

Last verified July 11, 20262 sources checkedEditorial standards
A carefully arranged real-world scene representing the first hour after an email account takeover.
The First Hour After an Email Account TakeoverA carefully arranged real-world scene representing the first hour after an email account takeover.Work from a device you trust. Recover the mailbox through the provider, remove persistence, then protect accounts that use the address for password resets. Generated for Strangely Useful; provenance retained.
In this story4 sectionsRecover from a device you trustLook beyond the changed passwordProtect accounts downstream of emailPreserve evidence before cleaning up

Email is a reset channel for the rest of a digital life. After takeover, restoring the password is only the opening move; the attacker may have added forwarding, app passwords, recovery details, or trusted sessions.

Recover the mailbox, remove persistence, protect downstream accounts, and preserve a timeline before the attacker can reset more services. Work from a device you trust. Recover the mailbox through the provider, remove persistence, then protect accounts that use the address for password resets.

Use another trusted channel to tell a close contact what happened, and prepare a clean device. Do not conduct recovery through links in the compromised mailbox.

Recover from a device you trust

Use the provider’s official recovery page from a clean device. Use the provider’s official recovery page from a trusted device. Avoid performing recovery on a computer that may contain malware or an unknown extension.

Look beyond the changed password

  1. Change the password and revoke unfamiliar sessions

    Change the password and revoke unfamiliar sessions, app passwords, and trusted devices. Confirm the attacker did not replace recovery email or phone.

  2. Remove forwarding rules, filters, app passwords, and connected apps

    Inspect inbox rules, forwarding, delegates, sent mail, and trash. Hidden forwarding can continue leaking password resets after access appears restored.

  3. Secure financial, cloud, and social accounts tied to the mailbox

    Secure banking, cloud storage, social media, and password managers tied to the mailbox. Start with accounts that can move money or reset others.

  4. Tell close contacts to ignore suspicious recent messages

    Warn close contacts about recent suspicious messages and preserve headers or notices. Evidence helps explain downstream fraud without keeping the attacker’s access alive.

Search the mailbox for password-reset and security-notice messages from the incident window. That list reveals which other accounts the attacker attempted to reach and helps prioritize the next password changes.

Protect accounts downstream of email

  • Do not negotiate with the attacker.
  • Do not reuse the emergency password elsewhere.
  • Do not delete evidence before saving dates and notices.

Contact financial institutions and identity-theft resources quickly if the mailbox contains unauthorized reset notices, tax records, credit alerts, or payment changes.

Preserve evidence before cleaning up

Check current menu names, limits, and recovery language against “Email or social media hacked? Here’s what to do” and “Respond to security alerts” before acting; platform behavior can change after publication, and each source should be used only for the claim it actually supports.

The FTC recommends changing the password, signing out other devices, enabling two-factor authentication, and checking recovery information after an email or social account is hacked.

Google security guidance directs users to review account activity and respond to unfamiliar events.

Sources & methodology2 sources - evidence for this revision

The records below show what each source supports in this published revision.

  1. How To Recover Your Hacked Email or Social Media AccountFederal Trade Commissionreference - Retrieved Jul 12, 2026

    What it supportsThe FTC recommends changing the password, signing out other devices, enabling two-factor authentication, and checking recovery information after an email or social account is hacked.

  2. Respond to security alertsGoogle Account Helpreference - Retrieved Jul 12, 2026

    What it supportsGoogle security guidance directs users to review account activity and respond to unfamiliar events.

The Useful Dispatch

Keep the good rabbit holes coming.

The weekly email is being prepared. No address is collected yet.

See the newsletter plan →