eastbaycyber

How Do I Tell If My Email Has Been Hacked?

FAQs 6 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-13
Short answer

Your email may be hacked if you notice logins from unknown devices or locations, password resets you did not request, sent emails you did not write, missing messages, or new forwarding rules. Check account activity, security settings, and inbox rules immediately. If anything looks off, secure the account right away.

If you are wondering how to tell if email was hacked, start by checking for unfamiliar logins, password resets you did not request, sent messages you did not write, missing emails, and suspicious forwarding rules. A hacked mailbox often shows subtle signs before a full lockout happens, so fast review of your account activity and security settings matters.

Common Signs Your Email Account Is Compromised

Email compromise usually shows up as account takeover, not a dramatic lockout. In many cases, the attacker wants to stay quiet, read messages, reset passwords for other accounts, or redirect email without being noticed.

You cannot log in, or your password suddenly stops working

If your normal password no longer works and you did not change it, that is a strong sign of compromise. Attackers often change credentials quickly to block the real user.

A failed login alone is not conclusive. It could also be: - a typing mistake - a password manager sync issue - an outage at the provider

The concern rises when a failed login appears alongside other hacked email signs.

You see password reset or verification emails you did not request

Unexpected messages about password resets, login codes, or security alerts often mean one of two things: - someone is trying to access your account - someone is already in and testing access to linked services

Pay close attention to emails from your mail provider, bank, social platforms, cloud apps, payroll systems, and shopping accounts.

Sent mail contains messages you never sent

This is one of the clearest indicators of unauthorized email access. Check: - Sent Items - Drafts - Deleted Items - spam or junk folders

Attackers may send phishing emails from your account, reply inside existing threads, or save drafts for later use. In business settings, this can lead to impersonation or invoice fraud.

Messages are missing, moved, or marked as read

A compromised mailbox may show unusual behavior such as: - expected emails never arriving in the inbox - messages being automatically deleted or archived - unread messages already marked as read - emails from certain people disappearing

This often happens because the attacker created mailbox rules or filters to hide evidence.

New forwarding addresses or inbox rules appear

This is a high-priority check. Many attackers create persistence by forwarding copies of your mail to another address or routing certain emails into hidden folders.

Review: - forwarding settings - inbox rules or filters - blocked senders - delegates or shared mailbox permissions - aliases and connected accounts

If you find a forwarding address you do not recognize, assume the email account is compromised.

Login history shows unfamiliar devices, locations, or IPs

Most major email providers let you review recent sign-in activity. Look for: - locations you have never visited - impossible travel, such as two distant logins close together - unknown devices or browsers - repeated failed attempts followed by a successful login

One odd location is not always definitive because geolocation can be inaccurate. Multiple anomalies are a serious warning.

Recovery settings or MFA changed without your approval

Check whether the account’s: - recovery email - recovery phone number - authentication app - backup codes - trusted devices

have changed. Attackers modify these settings to keep access even after a password reset.

Contacts say they received strange messages from you

If coworkers, customers, or friends report odd emails, links, gift card requests, invoices, or urgent payment instructions from your account, assume compromise until proven otherwise.

This matters even more if the messages: - match your normal writing style - reference real conversations - include attachments from your usual mailbox

That can indicate true mailbox access, not simple address spoofing.

What To Check First

Before making changes, quickly review the areas attackers commonly use to maintain access:

Account activity and active sessions

Check recent sign-ins, active devices, and browser sessions. If your provider offers a “sign out everywhere” option, plan to use it after you confirm suspicious access.

Inbox rules, filters, and forwarding

Look for rules that: - move messages to archives or trash - mark messages as read - forward mail externally - hide messages from banks, payroll, or security alerts

This is one of the most common persistence methods in an account takeover.

Recovery options and MFA enrollment

Make sure your recovery email, phone number, MFA app, and backup codes still belong to you. If anything changed without your approval, treat it as a serious security incident.

Linked accounts that rely on this mailbox

Your email account often controls password resets for banking, cloud storage, shopping, and work accounts. Review those services for unusual reset notices or login alerts.

What To Do Immediately If You Suspect Compromise

If any of the signs above appear, take these steps in order:

  1. Change the password to a strong, unique one.
  2. Sign out of all sessions or revoke active devices.
  3. Enable or reset MFA using a trusted device.
  4. Review forwarding, inbox rules, delegates, and recovery settings.
  5. Check linked accounts that use this mailbox for password resets.
  6. Search Sent, Deleted, Drafts, and Trash for unauthorized activity.
  7. Notify your IT team or provider if this is a work account.
  8. Warn contacts if phishing may have been sent from your mailbox.
  9. Scan your device for malware if you suspect credentials were stolen locally.

If you need a malware scan after suspicious activity, a tool like Malwarebytes can be useful as part of cleanup, especially if you think a malicious attachment, fake login page, or infostealer was involved.

If this is a business email account, also review recent financial requests, vendor conversations, and any mail involving invoices, payroll, or banking changes.

How To Reduce The Risk Of It Happening Again

Once the immediate incident is contained, strengthen the account so the attacker cannot return.

Use a unique password and password manager

Reused passwords make account takeover much easier. Store strong, unique credentials in a password manager so you do not have to memorize them. If you want help managing unique passwords across accounts, 1Password is a practical option.

Keep MFA enabled

Use an authenticator app or hardware-based method when possible. Avoid relying only on SMS if stronger options are available.

Review mailbox rules regularly

Forwarding rules and hidden filters are easy to miss. Periodic checks can catch persistence before it causes more damage.

Secure your devices and browser sessions

Keep your operating system, browser, and extensions updated. If compromise started with malware or a phishing kit that stole session tokens, device cleanup matters just as much as changing your password.

For broader guidance, see: - What to Do If Your Email Is Hacked - How Attackers Use Mailbox Rules to Hide Email Fraud

Common Misconceptions

“If I can still log in, my email is not hacked.”

False. Many attackers avoid changing the password because they want silent access for as long as possible.

“A weird email from my address means my account was definitely breached.”

Not always. Email addresses can be spoofed. Confirm by checking your sent mail, login history, and account settings.

“Changing my password fixes everything.”

Not necessarily. If the attacker added forwarding rules, changed recovery options, enrolled their own MFA method, or stole active session tokens, they may still retain access.

“Two-factor authentication makes compromise impossible.”

False. MFA reduces risk significantly, but phishing, session theft, social engineering, and weak recovery settings can still lead to compromise.

Final Takeaway

If you notice more than one of these hacked email signs, assume compromise and respond immediately. One mailbox can expose password resets, financial conversations, cloud accounts, and private data. The sooner you review logins, forwarding rules, recovery settings, and linked accounts, the better your chance of limiting damage.

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-13

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.