What To Do When Your Email Account is Compromised

Ryan D. Lang
Apr 11, 2011
Updated • Apr 1, 2019
Email, Security

I see more and more spam coming from the email accounts of contacts and friends when I open my e-mail program. In addition to this, people are telling me that they think their e-mail accounts have been hacked.

Signs can be friends receiving messages you did not send, mail is "marked read" that they never saw, settings are changed, or anything else out of the ordinary. In any case, the question is the same: "What do I do?"

While many Ghacks readers may know to follow these steps, having a guide handy for others is a useful thing. I can imagine many readers are resources for friends, family, and coworkers. These steps can serve as a checklist to ensure thoroughness.

This is a guide on how to reasonably secure your e-mail account. What to do if you lose access to your account is a different problem for another article. This article assumes you still have access, but strange things (as mentioned) are going on. It will cover the three most commonly used e-mail account types: Gmail, Hotmail, and Yahoo Mail. While changing the settings is pretty easy, finding them can be less than obvious. Here are some screenshots to help you find the general settings page for your account.


Step 1 : Change Your Password

You need to do this immediately. This is akin to changing the locks on your doors. When you do not know exactly who has a key to your home, the locks are a liability. Count yourself lucky that you can get into your account. To change your password, log-in and go to Settings. Then follow the steps appropriate to your account.

  • In Gmail: Mail Settings > Accounts and Imports > Change Password
  • In Hotmail: More Options > Account Details (look for "Change" next to password)
  • In Yahoo Mail: Mail Options > Account Information > Change your password

The password needs to be super-secure, and I suggest you use a password manager such as KeePass to generate and store it.

If you cannot get into the account anymore, e.g. because the hacker changed the email password or because it was locked by the email company, contact the company directly to get it reinstated.

Step 2 : Check Your Recovery E-mail Address

Your recovery e-mail address is the one that you use to reset/regain your password. However, if it was changed, it can be used to get the password to your account. Take a look to see if it is set to another account you own. If not, change it immediately. You also may want to follow these steps on that account.

  • In Gmail: Mail Settings > Accounts and Imports > Change Password Recovery Options
  • In Hotmail: More Options > Account Details (look for "Remove" next to an odd e-mail)
  • In Yahoo Mail: Mail Options > Account Information > Update password-reset info

Step 3 : Change Your Hints

Most people forget about this, but it is a good idea to change your hints. If the hacker knows the answer, they may be able to regain access. This usually requires the recovery e-mail address to be altered, but it is still better to change your hints. Since hints are usually used to reset passwords, they can be used to change your password.

  • In Gmail: Mail Settings > Accounts and Imports > Change Password Recovery Options
  • In Hotmail: More Options > Account Details (look for remove next to a question)
  • In Yahoo Mail: Mail Options > Account Information > Update password-reset info

Step 4 : Check Your Forwards

Checking your forwards is going to be a tedious process, but it is important. If you only have time to skim them over, then do so but make a thorough look your next priority. Your bank account may depend on it. Your e-mail account can be set up to send letters to other e-mail accounts. Most websites are set up to send new passwords to your e-mail address. That means that an unscrupulous person could ask the site for your password, set up your account to forward it to an account they have access to, and the get into the site. That could be a bank site, a blog, FaceBook, or anything else.

  • In Gmail: Mail Settings > Forwarding and POP/IMAP
  • In Hotmail: More Options > Email forwarding
  • In Yahoo Mail: Mail Options > POP & Forwarding (note: a premium service)

While you are at it, also check filters if the service supports that. On Gmail, you'd go to Settings > Filters and Blocked Addresses to get a list of all filters. Filters may also be used to process emails automatically, e.g. to forward them to another account automatically and skip the inbox.

Step 5 : Change All Your Passwords on Connected Accounts

Sadly, you have to assume that your forwards are compromised. You are going to have to go through each site you used your e-mail account to sign up with and change the password and hint provided that you used the same password.

You might even want to associate them with a separate account to isolate critical e-mails. Alternatively, you could just change your password and hint on sensitive sites. Your bank and any financial websites should be first. Social networking site like FaceBook and Twitter should be next.

Keep in Mind

You should always use a strong password for your accounts: one with uppercase, lowercase, numeric, and symbol characters. Ideally, you should have a different one for each account. At the very least your e-mail, financial, and social networking sites should have separate passwords. Security is not about absolutes, but about making it difficult for others to gain access to you account.

It is worth noting that each of these services has an extra security feature. You can actually set up your account to use your phone for e-mail recovery. As I have not used it, it is beyond the scope of this article, but is worth considering.

Additional resources

What To Do When Your Email Account is Compromised
Article Name
What To Do When Your Email Account is Compromised
Find out what you need to do when your email account gets hacked. Offers step by step instructions to recover account access and protect it.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. mishasin said on October 8, 2012 at 10:25 pm

    Thanks Martin for the warning and tips on how to prevent possible headaches.
    Best regards

  2. Davin Peterson said on October 9, 2012 at 1:23 am

    Thanks for the good tips.

    I check my spam email to make sure their is no legitimate email and often find fake emails. So, when I hover the mouse over a link it goes to a different URL than the text.

    If you are not sure of an email, type the URL in the web browser, don’t click the link in the email

    1. Martin Brinkmann said on October 9, 2012 at 8:10 am

      Typing in the url manually is a good tip provided that you go to a legit site and not a fake one. So, if it shows paypal.com but the link is pointing to somesite.example.com, typing in paypal.com in your browser will do the trick. Then again, there is no need to do that if you have identified the email as fake.

    2. Mike Corbeil said on October 12, 2012 at 5:12 pm

      Davin Peterson wrote, “… If you are not sure of an email, type the URL in the web browser, don’t click the link in the email”.

      Rather than typing in the URL, why not simply right-click on the hyperlink in an email, choose to copy the actual or real link, paste it in the address bar of the Web browser that’s open, and then the user will immediately see what the real URL is? Pressing Return shouldn’t be done until having carefully examined the URL pasted in the address bar.

      I wouldn’t bother doing that, either, for I simply hover the mouse pointer over hyperlinks in emails using Thunderbird and this permits being able to immediately see what the hyperlink really links to. But, copying and pasting would often be quicker than retyping whatever the real link is.

      I begin by checking if the domain names are the same. If they aren’t and a reason isn’t provided in the email, then I surely won’t bother using the real url. Otherwise, I’ll check the rest of the real address shown when hovering the mouse pointer over the hyperlink. If there happened to be a redirection included in the full link, then we have a number of options:

      1) We can just ignore the link altogether.

      2) Copy the full link and paste it in a CTRL+D prompt for making bookmarks, but without saving the link as a bookmark; permitting us to scroll across the full length of the link to be able to carefully examine the whole thing.

      3) If options 1 and 2 aren’t convenient, then we can alternatively paste the real url in the address bar for a new Web browser tab, f.e.

      4) And if options 1, 2 and 3 aren’t convenient, due to the length of a url (being too long to be able to see the whole thing without needing to scroll or cursor over a lot of it, say), then we can paste the url in a temporary text file that provides wrapping of long lines.

      When we don’t choose option 1, then we can view the whole url and then decide whether we want to use it, or not.

      Retyping URLs is fine, if they’re not too long, but they often are. It would often be quicker to use one of the above 4 approaches, and maybe there’re other safe options that I’m not thinking or aware of. But retyping URLs isn’t going to be something I’d do, except for short ones; and I don’t mean links that’re just shorteners for the real URLs, for I won’t use these shorteners. It’s an interesting concept, but it’s unfortunately untrustworthy. Imo, no one should use services like TinyURL and likes. Nice little concept, but users need to know where they’re going, before going to wherever it is. Internauters, everyone for that matter, have an inherent right to know in what direction others try to lead them to.

      A good middle-aged Catholic priest I momentarily met during the 1980s, and yes, there’re some good RCC clergy, it happens, he told me the first evening of a weekend retreat, a little secret, or something the overall RCC at least appears to want to keep secret. He said that I had two bosses. First, there is God. And, next in line, is …, well, guess? Yourself! In another manner of speaking, no one should “mess” with the inherent rights of another. And I detest services like TinyURL, et cetera, being used. If it’s done at websites that I know to be reliably/trustworthily managed, then I don’t mind the presence of these links, though still don’t like the idea of using them, so I do so only on very rare occasion. Having plenty of security for my PC, I can, on rare occasion, make use of such links; but, I always detest that they’re used. I’ve only used such links maybe twice over the past several years and it was only at websites that I know to be very trustworthy.

      Thankfully, there’re add-ons for Firefox and these extensions will show the real URLs of short-cut, say, links; but, I don’t know if there’s such an add-on for Thunderbird and I won’t use Microsoft Outlook, Live, and other email services. I use other Web browsers, first Opera and then MSIE, but only when I’m trying to troubleshoot a problem. Otherwise, it’s always Firefox and Thunderbird. My main Firefox profile (having several of them in one Windows user account and using the -P option to select which profile to open with Firefox, and similar for Thunderbird) has plenty of security. GRC.com’s ShieldsUp! tests this morning reported that all of my ports, the first 1,085 or so, are all stealth-protected and I have basic Windows XP Firewall, Avira Antivir, Threatfire (from PC Tools) and WinPatrol always running. So I’m not worried; but, I still detest the usage of TinyURL and such services. It’s of no service to me, for what I want to see is the real url.

      Preferable to using such services is to just use a short name or title for a hyperlink, but a meaningful title; preferably. If the title attracts a reader’s attention, then the person can just hover their mouse over the hyperlink’s text in order to see what the real link is. With services like TinyURL, et cetera, the real links are completely masked, unless we use, f.e., Firefox with the Long URL Please extension, or the Long URL Please Mod one.

  3. Mike Corbeil said on October 12, 2012 at 3:00 pm

    Quote: “It is important to verify links before you click on them.”

    Definitely, but as aware as I am about this, I sometimes forget and just blindly trust the text shown for a link. There haven’t been any nasty surprises for me, not yet, but it could happen. People should try to never forget to check what links lead to, before using the links.

    That’s when I used Firefox or another Web browser. With email, which I use Thunderbird for, I never open links directly from the bodies of the emails. Instead, I always use right-click on a link, select the copy option, and then paste the URL in the Web browser’s address bar or field. That guarantees always seeing what the URL is, before pressing the Return key, so it’s less likely that I’ll get “skunked”, say, when it’s a link from an email. It’s links in Web browsers that I need to try to never forget to properly check before opening whatever the corresponding pages are. Using Firefox over 99% of the time and Having Long URL Please Mod installed for Firefox extension is often useful, but I’ve recently found that this add-on didn’t seem to be working for some shortened URLs. I think that that’s now corrected, but it’ll take a while to be able to see if it is, or not.

    It may’ve possibly been for shortening links that the add-on wasn’t yet programmed for, but I’m pretty sure that this wasn’t the case. And some other things were no longer working correctly in Firefox over the past couple or few weeks. It all seems to now be corrected, after I shut down and restarted Firefox yesterday. And I just updated Firefox to v16.0.1 this morning.

    Your example using google.com (for hyperlink text) and bing.com for the actual URL is a good one, and I wonder if I would’ve checked what the real URL is, if I wasn’t reading the text of your tutorial or advice. By far most websites I use are very reliable, so I can easily navigate through them without double-checking what hyperlinks actually link to, and this can be a problem, for then we can easily come to develop the habit of opening links before hovering the mouse point over them in order to see what the real linked pages are. And habits are sometimes a little difficult to cease, until we “burn” ourselves one or two times; if not three.

    I think that I’m very safe, anyway. For the past couple of hours, I’ve been running GRC.com ShieldsUp! tests and the very initial page finds a “machine name” for my PC or connection, though also says that this may or may not be permanent, so I’ll have to check again after rebooting the PC, eventually. Other GRC ShieldsUp! tests say that all of my ports are stealthed though. Apparently, people from the WWW or WAN world can get access to my PC and maybe that’s because a router was added last week. I have only one PC connected to the Internet, but learned last year that passing through a router, rather than directly through a hi-speed modem, provides a considerable amount of security. So, and having learned that from both experienced users as well as college teachers in computer network administration, I definitely wanted a router for my personal connection.

    Nonetheless, we should always double-check what hyperlinks actually link to, as a matter of personal Internet usage policy, say. What would be possibly good to have is an add-on that would automatically run a verification of every URL users try to open; but, that would surely not be fail-proof. How could a developer do that in a fully fail-proof way? And there’d surely be a fairly serious performance hit/impact, I imagine anyway.

  4. Mike Corbeil said on October 12, 2012 at 3:08 pm


    Wherein, in the 2nd-to-last paragraph, I wrote, “Apparently, people from the WWW or WAN world can get access to my PC and maybe that’s because a router was added last week.”, there’s a slight typo. error.

    It should be, “Apparently, people from the WWW or WAN world can’t get access to my PC …”.

    There’re some other typo. errors in my prior post, but I think readers will quickly realize what the correct text would be, so I won’t bother explaining these errors.

  5. asdf said on October 5, 2016 at 9:47 am

    What about server side redirects? Is there a way to know the actual destination your browser will land on before you click a link, when a server has been set up to redirect traffic straight away?

    It may be that the displayed link and the “a href” tag are both giving one url, but if you click it it instantly redirects you somewhere else because the server is set up to do this. (This just recently happened to me).

    Is the redirection detectable before you follow a link, so you don’t end up somewhere you wouldn’t want to be?

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.