eastbaycyber

What to Do If Your Email Is Hacked (Step-by-Step)

FAQs 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Short answer

If your email is hacked, treat it like an emergency: attackers can use your inbox to reset passwords for banking, payroll, SaaS, and social accounts. The goal is to regain control, kick the attacker out (including tokens/sessions), remove persistence (forwarding/rules), and contain the fallout.

TL;DR - Change the password from a clean device, then sign out everywhere and enable MFA. - Remove malicious forwarding/inbox rules, check recovery options, and review sent/deleted items. - Treat it as urgent: email can reset passwords for banking, payroll, SaaS, and social accounts.

Short Answer (under 60 words)

Assume active compromise. From a known-clean device, reset your email password and revoke all sessions/devices. Turn on MFA, remove any forwarding addresses and suspicious inbox rules, and update recovery email/phone. Then reset passwords for critical accounts that use that inbox and warn contacts about phishing from your address.

Detailed Explanation

1) Confirm you’re on a clean device and network

If malware stole your password, changing it on an infected machine can hand the attacker the new password immediately.

Do this: - Use a different, trusted device (or boot into a known-clean environment). - Update the OS and browser; run an AV scan if you must use the same machine. - Avoid public Wi‑Fi while recovering the account (use a trusted connection).

Optional but helpful: Use a reputable VPN on untrusted networks (e.g., NordVPN: Check NordVPN pricing → or Surfshark: Try Proton VPN →). A VPN won’t “unhack” an account, but it can reduce risk when you must recover on the go.

2) Regain access (if you’re locked out)

If the attacker changed your password or recovery settings: - Use the provider’s account recovery flow (Google/Microsoft/your host). - If this is a work account, escalate to IT immediately—admins can often reset credentials, revoke tokens, and inspect rules faster than you can.

Tip: If your recovery email is also compromised, you need to secure that first (or in parallel). Email accounts often fall in domino chains.

3) Change the password correctly (and uniquely)

A “strong” password isn’t enough if it’s reused elsewhere.

Do this: - Set a long, unique password (password manager recommended). - Don’t reuse old passwords. - If you suspect credential stuffing (same password used across sites), plan to rotate those other accounts too.

If you don’t already use a password manager, consider one that supports strong generation, secure sharing, and admin controls (for teams). For example, 1Password is a common option for individuals and small businesses: Try 1Password →. You can also see our related guide: password manager for small business 2026.

4) Revoke sessions, devices, and app access (critical)

Attackers often keep access via: - Existing sessions (“stay logged in” cookies) - OAuth grants (“Sign in with Google/Microsoft”) - Mail client app passwords (legacy IMAP/SMTP) - Connected mobile devices

Do this immediately after changing the password: - “Sign out of all devices/sessions” - Remove unknown devices - Revoke third‑party app access - Disable legacy authentication where possible

5) Enable MFA (prefer phishing-resistant options)

Turn on multi-factor authentication to prevent simple password reuse attacks from succeeding again.

Best options (in order): 1. Passkeys / FIDO2 security keys 2. Authenticator app (TOTP) 3. Push MFA (acceptable, but watch for MFA fatigue prompts) 4. SMS (better than nothing; weakest due to SIM swap risk)

If the account is business-critical, consider enforcing MFA organization-wide.

6) Hunt for persistence inside the mailbox: rules and forwarding

Mailbox compromises frequently involve stealthy persistence mechanisms: - Auto-forwarding to an external address - Inbox rules to move security alerts to Archive/RSS/Trash - Rules to hide replies from victims - Delegated access / shared mailbox permissions

What to check: - Forwarding addresses (including “keep a copy” settings) - Inbox/server-side rules - Delegates/authorized users - POP/IMAP/SMTP settings (if enabled) - “Vacation responder” messages that could leak information

Remove anything you didn’t set—especially rules containing keywords like “invoice,” “wire,” “payment,” “ACH,” “gift cards,” “security,” or your CFO/CEO’s name.

7) Review what the attacker did: sent, deleted, and sign-in activity

You’re looking for: - Phishing emails sent from your account - Password reset emails for other services - Unusual sign-ins (new countries, impossible travel, unfamiliar IPs) - Deleted items emptied or moved

Action: - Save evidence (timestamps, headers, screenshots of rules/forwarding) for incident response or law enforcement if money loss occurred. - If the attacker contacted finance or vendors, treat it as a business email compromise (BEC) scenario—verify any recent payment instructions out-of-band (phone call to known numbers).

8) Secure downstream accounts (email is the reset key)

Your email inbox is the “master key” for: - Banking/credit cards - Payroll portals - SaaS admin consoles (Microsoft 365, Google Workspace, QuickBooks, CRM) - Social media accounts - Cloud storage (Drive/OneDrive/Dropbox) - Password manager recovery

Prioritize: 1. Financial and payroll accounts 2. Password manager / SSO / admin accounts 3. Any account with saved payment methods 4. Social accounts used for brand/customer contact

For each: rotate password, enable MFA, review recent logins, and revoke sessions/tokens.

9) Notify impacted people and your organization

If emails were sent from your account: - Tell contacts to ignore recent messages and avoid links/attachments. - If you’re in a regulated environment (healthcare, finance), follow your incident reporting process. - For businesses, notify your IT/security team and consider an incident ticket with a timeline.

10) Monitor after recovery

For the next 2–4 weeks: - Watch for renewed takeover attempts (password reset requests, MFA prompts) - Monitor mailbox rules (attackers sometimes re-add forwarding) - Consider enabling alerts for suspicious sign-ins and rule changes (where supported)


Technical Notes: Quick checks and cleanup (Google and Microsoft 365)

Gmail / Google Account: security review (user-level)

Use Google’s Security Checkup to remove unknown devices and third‑party access, then verify forwarding.

Manual checks: - Gmail → Settings → See all settingsForwarding and POP/IMAP - Gmail → Settings → Filters and Blocked Addresses - Google Account → Security → Your devices / Third‑party access

Microsoft 365 / Exchange Online: inspect forwarding and rules (admin)

If you’re an admin, confirm there’s no hidden forwarding at the mailbox level and enumerate inbox rules.

# Connect (Exchange Online PowerShell module required)
Connect-ExchangeOnline

# Check mailbox-level forwarding
Get-Mailbox user@domain.com | Select DisplayName,ForwardingSmtpAddress,DeliverToMailboxAndForward

# List inbox rules (look for redirects, deletes, moves to RSS/Archive)
Get-InboxRule -Mailbox user@domain.com |
  Select Name,Enabled,Priority,Description

# Look for suspicious permissions (delegates/full access)
Get-MailboxPermission -Identity user@domain.com |
  Where-Object {$_.AccessRights -match "FullAccess" -and -not $_.IsInherited} |
  Select User,AccessRights,Deny,IsInherited

# Review recent sign-in logs (requires AzureAD/Entra access via portal; see below)
Disconnect-ExchangeOnline -Confirm:$false

Entra ID (Azure AD) portal sign-in review: - Entra admin center → Users → select user → Sign-in logs - Filter by Status, Location, Client app, IP address - Look for legacy protocols (IMAP/POP/SMTP AUTH) if not expected.

Log patterns to look for

In sign-in logs and mailbox auditing (where enabled), common red flags include: - Multiple failed logins followed by a success from a new ASN/country - Legacy authentication successes (IMAP/POP/SMTP AUTH) - Sudden creation of inbox rules/forwarding - OAuth consent grants to unfamiliar apps

If auditing isn’t enabled, enable it now for future investigations.


Common Misconceptions

1) “If I change my password, I’m safe.”
Not always. Attackers may still have valid sessions, OAuth tokens, app passwords, forwarding rules, or delegated access. You must revoke sessions/tokens and remove rules.

2) “MFA guarantees the attacker is out.”
MFA helps, but if the attacker already added their own MFA method or hijacked recovery options, they can regain access. Verify MFA methods, recovery email/phone, and trusted devices.

3) “Only the inbox matters.”
Email compromise often leads to takeover of other accounts via password resets. The real damage may be in banking, payroll, SaaS admin, and vendor relationships.

4) “This is just spam; I can ignore it.”
If your account sent phishing or BEC messages, your contacts are at risk. Failure to warn them increases downstream compromise and reputational damage.

5) “Forwarding is harmless if I don’t see it.”
Forwarding is a classic persistence tactic. Attackers can silently receive copies of password resets, invoices, and conversations even after you change your password.



This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.