People picture a hacked inbox as a dramatic lockout. Usually it is nothing of the sort. An attacker who wants to use your account quietly has every reason to leave your password alone, sit in the background and read everything, because your email is the key that resets the password on almost every other account you own.
Which is why the quiet signs matter more than the loud ones. It is also why the fix has an order most guides get wrong.
Here is the short version.
- Check your account's recent login activity. Unknown devices or places is the clearest tell.
- Change your password from a device you trust, using something long and never reused.
- Sign out of all sessions. Otherwise an attacker already signed in simply stays signed in.
- Check forwarding rules, filters and recovery details for anything you did not add.
- Turn on two-step verification, then secure any account that shared the old password.
What to focus on
These are the questions people actually ask at this moment. Here are the honest answers.
- How do I know for sure? Open your recent login activity. Unfamiliar devices or locations is the strongest evidence.
- Is a new password enough? No. It does not evict a session that is already signed in.
- What is the sneaky part? Forwarding rules and changed recovery details, which keep working after a password reset.
- Why is my mail disappearing? Attackers delete alerts and reset emails to stay hidden.
- Are my other accounts at risk? Yes. Email resets everything else, so treat it as the master key.
The quiet signs most people miss
Being locked out is the obvious sign, but it is not the common one. Watch instead for messages in your Sent folder you never wrote. Watch too for contacts telling you they received strange mail from your address. Look for password reset emails for other services you never requested, which means someone is trying your email as a key elsewhere. Notice unexplained settings changes, a signature you did not write or mail going missing for no reason.
A quiet hack is more common than a lockout, because an attacker reading your mail is worth more than one who slams the door. If mail is vanishing, work through our guide on why emails disappear first, since there are innocent explanations. A hack is the last one to rule out.
How to check, in one minute
You do not have to guess. Every major provider shows you a record of recent sign-ins with the devices, browsers and rough locations attached. Open that page and read it. Sign-ins from a device or country that is not yours is the strongest evidence you will get.
Your recent login activity page is the single fastest way to confirm or dismiss a suspected hack. Google keeps its version in the security section of your account, alongside its guidance for securing a hacked account. Outlook and Yahoo both offer the same kind of recent activity page.
The mistake almost everyone makes
Here is the part that matters most. Nearly everyone changes their password and assumes the job is done. It is not, for a simple reason: a session that is already signed in usually stays signed in. The attacker keeps reading your mail from their existing session while you feel safe.
Changing your password does not kick out an attacker who is already signed in; you have to sign out every session to do that. Every provider has this control, often called something like sign out of all devices or manage devices. Use it right after the password change, not instead of it.
Close the back doors they left behind
The second reason a password change is not enough is that attackers plant ways back in. Check three things. First, forwarding: a rule quietly copying every message to their address keeps working no matter what your password is. Second, filters and rules: attackers use them to delete the security alerts and reset emails their own activity generates, so you never see the warnings. Third, your recovery email and phone number, which they may have swapped to their own so they can simply reset their way back in.
Forwarding rules, hidden filters and altered recovery details all survive a password reset, so remove them or the attacker walks back in. While you are there, review connected apps and remove anything you do not recognise.
Then treat your email as the master key
Once the account itself is secure, remember what it unlocks. Your email can reset the password on your bank, your shopping accounts and your social profiles, which is exactly why it was targeted. Check anything financial for activity you do not recognise. Change the password on any account that used the same one as your email, since reuse is the first thing attackers try. Make sure those accounts still list your own recovery details.
Your inbox is the master key to your online life, so securing it is only half the job. That reality is spelled out in our guide on losing access to your email account. Turn on two-step verification too, since it keeps a stolen password from being enough on its own.
Tell your contacts, then clean up
One last piece that is easy to skip. If your account sent scam messages, your contacts are the ones now at risk, because a message from a familiar address is far more convincing than any stranger's. Send a short note from a secure account letting people know what happened and telling them not to click links in recent mail from you.
Warn your contacts quickly, since your name is what made the scam messages convincing in the first place. Then run a malware scan on your devices, because a password stolen by something on your computer will simply be stolen again. Finally, if the account is important to you, keep a copy of the mail you cannot afford to lose, as our guide on whether your email is automatically backed up explains.