If Your Gmail Account Has Been Hacked, Take These Steps Immediately

Imagine this: You get an email from Google notifying you of a login attempt from Mexico. You were in Mexico, but that was two months ago, so you ignore it because it’s probably just a mistake.

If your Gmail account has been hacked, you must act quickly.

Even if this is your personal email, contact your work IT team immediately. Your personal email could be linked to work accounts and systems. Your IT team needs to know about possible compromises so they can monitor for:

• Unauthorized access to work accounts.
• Password reset attempts on linked accounts.
• Potential lateral movement to company resources.

The following checklist prioritizes the most critical steps. Note: Google and other sites often change their interfaces, so the instructions may not be exact.

Quick navigation

• Step 1: Immediate Actions
• Step 2: Protect Your Most Critical Accounts
• Step 3: Audit Account Access
• Step 4: Notify Important Contacts & Services
• Step 5: Monitor Going Forward
• If You’re Locked Out of Your Account
• Red Flags: When to Take Additional Action

Step 1: Immediate Actions (Do This First)

If you still have access to your Gmail account, you should:

• Go to your Google Account’s security page
• Force log out all devices and sessions
  • Click “Manage all devices” or “Your devices.”
  • Select “Sign out of all other web sessions.”
  • This immediately ends the attacker’s access.
• Change your Gmail password immediately
  • Use a strong, unique password (16+ characters, mix of uppercase letters, lowercase letters and numbers).
  • Do NOT reuse any password you’ve used before.
  • Consider using a password manager to store and generate strong passwords.
• Review Two-factor Authentication (2FA) settings
  • Go to Security & sign-in settings and select “2-Step Verification.”
  • Check which phone numbers and devices have 2FA enabled.
  • Remove any unfamiliar phone numbers or devices.
  • If you can’t access 2FA codes: Consider resetting 2FA entirely to regain control.
    • Save your backup codes in a secure location.
    • Add only trusted devices for future 2FA.
• Check Recovery Email and Phone Number
  • Go to Security settings and look for “How you sign in to Google.”
  • Verify the recovery email address is one you control.
  • Verify the recovery phone number is current and yours.
  • Remove any unfamiliar recovery contacts the attacker may have added.

Step 2: Protect Your Most Critical Accounts (Do Within 24 Hours)

The attacker may try to reset passwords on accounts linked to your Gmail. Change these passwords in this order:

1. Cell phone provider (AT&T, Verizon, T-Mobile, etc.)
   • Call the provider directly or navigate to its site manually; don’t use email links.
   • This is critical: your phone number can be used to reset passwords across many accounts.
2. Banking and financial accounts
   • All bank accounts
   • Investment/brokerage accounts
   • PayPal, Venmo, Square Cash
3. Email-linked services (use unique passwords for each)
   • Password manager (LastPass, 1Password, Bitwarden, etc.)
   • iCloud/Apple ID
   • Microsoft/Outlook accounts
   • Any other email accounts linked to your Gmail
4. Work-related accounts
   • LinkedIn
   • Any professional or contractor accounts
   • Client portals or vendor accounts
5. Social media accounts
   • Facebook
   • Instagram
   • X
   • TikTok
   • Any other personal accounts that could be used for identity theft.

Step 3: Audit Account Access (Do Within 48 Hours)

Once attackers have access to an account, they want to cover their tracks. The longer they have access to your account, the more damage they can do.

• Review your recent account activity
  • In Gmail, scroll to the bottom and click “Last account activity” in the lower right corner.
  • Check location, device type and IP address of recent logins.
  • If you see unfamiliar activity, note the dates and times.
• Check Gmail’s “Connected apps and sites”
  • In Google Account settings, go to “Third-party apps & services.”
  • Remove any apps you don’t recognize or no longer use.
  • This prevents attackers from maintaining access through third-party apps.
• Review your Gmail forwarding rules
  • Go to Gmail settings and select the “Forwarding and POP/IMAP” tab.
  • Check for forwarding rules you didn’t create.
  • Delete any unauthorized forwarding addresses.
• Check Gmail filters
  • Go to Gmail settings and select the “Filters and Blocked Addresses” tab.
  • Look for filters that auto-delete, archive or redirect emails (attackers use these to hide their activity).
  • Delete any suspicious filters.

Step 4: Notify Important Contacts & Services

After attackers have compromised your account and concealed any evidence of their presence, they want access to more accounts.

They’ll most likely reach out to people in your contact list to trick them into divulging sensitive information or sending phishing links designed to steal their credentials.

• Notify your email contacts
  • Send a brief email to friends, family and colleagues: “My email was compromised. If you received anything unusual from my account, it wasn’t from me.”
• Contact Google Support if needed
  • If you suspect data was accessed, visit Google’s support page.
  • Google may notify you if it detects suspicious activity.
• Document the incident
  • Note the date you discovered the compromise.
  • Screenshot evidence of unauthorized access or recovery attempts.
  • Keep this for your records (and potentially for your work IT team).

Step 5: Monitor Going Forward (Ongoing)

Now that you’ve changed passwords and notified your contacts, you want to monitor your accounts for suspicious behavior.

You don’t know what an attacker accessed (Social Security number, credit card information, etc.), so it’s important to keep an eye out for large or unusual purchases.

• Set up a credit freeze (It’s free and takes 5-10 minutes per bureau)
  • Equifax
  • Experian
  • TransUnion
  • This prevents attackers from opening accounts in your name. Just remember to unfreeze your credit if you want to take out a loan or apply for a credit card.
• Sign up for credit monitoring
  • Use free services like Credit Karma or AnnualCreditReport.com.
  • Monitor for new accounts or inquiries you didn’t authorize.
• Monitor Gmail notifications for suspicious activity
  • Gmail will alert you to unusual sign-in attempts.
• Consider enabling “Security Checkup”
  • Go to Security Checkup.
  • Google’s automated tool reviews your security settings monthly.
• Watch for phishing attempts
  • Attackers may send you fake recovery emails or try to recompromise the account.
  • Be suspicious of any unexpected emails asking you to verify information.
  • Google will never ask for your password via email.

If You’re Locked Out of Your Account

If the attacker changed your password and you can’t access your account, you should:

• Go to the Gmail login page and click “Can’t sign in?”
• Use account recovery options
  • Enter your recovery email or phone number.
  • Google will send a verification code.
  • Follow prompts to regain access.
• If recovery doesn’t work
  • Contact Google Support.
  • Be prepared to verify your identity (recovery information, devices you’ve used, etc.)
  • This process can take several days.
• Once you regain access, follow Steps 1-5 above

Red Flags: When to Take Additional Action

Contact Google Support or your work IT team if you notice:

• Multiple failed login attempts from unfamiliar locations.
• Password reset attempts using your recovery email/phone.
• Strange forwarding rules or filters.
• Recovery email/phone number changed without your action.
• Unusual device access or app connections.
• Signs of identity theft (unexpected accounts opened, credit inquiries).

Need Additional Help?

Dealing with a compromised account can be stressful and chaotic. But it’s important to remain calm and follow the steps above.

If you need additional help, try these resources:

• For Gmail account issues: support.google.com
• For work-related concerns: Contact your work IT department immediately
• For identity theft: Visit IdentityTheft.gov and file a report

Stay updated! Get tips and insights delivered to your inbox weekly by subscribing to our newsletter.

Editor’s note: While these steps can significantly reduce risk, no system is 100% secure.This blog is for informational purposes only and should be followed at your own risk.