Emergency Guide Free to share | Updated July 2026

From the Kedlin workshop

Your Gmail was hacked. Here's exactly what to do.

Take a breath. This is recoverable — but the order you do things in matters, and so does speed. This guide walks you through it in three phases: take back your account, contain the damage, and lock everything down so it never happens again. Every step has a short video walkthrough if you'd rather watch than read.

Written by someone who's been on the receiving end of an account takeover — and contained it by doing exactly this. Nothing here is sponsored; there's nothing to buy.

⏱️

Why speed matters

Your email account is the hub of your digital life. Nearly every account you own — bank, Amazon, social media — resets its password through your email. A hacker with your Gmail can methodically take over everything else, and they usually start within minutes. A clock is running. Work through Phase 1 and Phase 2 today, in order. Phase 3 can wait until tomorrow.

🤖

Want a helper while you work?

If you use Claude, ChatGPT, or any AI assistant, click the button below to copy a ready-made prompt. Paste it into your AI and it will walk you through this checklist interactively, answering questions as you go.

Phase 1 · Do this right now

Take back your account

First priority: get the hacker out and you back in. Tip — do the recovery from a device and location you normally use Gmail from (your home computer, your usual phone). Google recognizes familiar devices, and that dramatically improves your odds of passing recovery.

1. Get back in — or change your password immediately

If you can still sign in: change your password right now to something long and brand-new (never used anywhere else). If you're locked out: use Google's account recovery page. Answer as many questions as you can — even partial answers help — and use the device you always use. If the hacker changed your recovery phone or email, Google typically honors the old recovery info for about a week, so don't give up after one attempt.

2. Kick the hacker out: sign out every device

Changing your password doesn't always end sessions that are already open. Go to your Google Account's device list and sign out of everything you don't recognize — or everything, period, and sign back in yourself. This closes the hacker's open door.

3. Run Google's Security Checkup — and fix the recovery info

The Security Checkup shows recent security events, connected devices, and sign-in methods in one place. Most important: check your recovery phone and recovery email. Hackers add their own phone/email as recovery so they can steal the account back later. Remove anything you don't recognize and make sure the recovery info is yours.

4. Undo the sabotage: check forwarding, filters & delegates

This is the step almost everyone misses. Hackers quietly set up rules so they keep reading your email after you lock them out. In Gmail, open Settings (gear icon) → See all settings and check every one of these:

  • Forwarding and POP/IMAP — is mail being forwarded to an address you don't know? Remove it.
  • Filters and Blocked Addresses — look for filters that delete or hide emails containing words like "password," "verification," or "reset." Delete any filter you didn't create.
  • Accounts and Import → Grant access to your account — remove any delegate you didn't add.
  • Accounts and Import → Send mail as — remove unfamiliar addresses.
  • General → Vacation responder & Signature — make sure nothing was added.

5. Revoke third-party access & app passwords

Hackers connect apps to your Google account as another back door. Review everything with access to your account and remove anything you don't recognize or no longer use. Also check app passwords — special passwords that bypass two-factor authentication — and delete any you didn't create.

6. Recover emails the hacker deleted

Hackers often delete emails to cover their tracks — especially the "your password was reset" confirmations that would tip you off about which of your other accounts they hit. Check Trash first, then use Google's official Message Recovery Tool, which can restore mail deleted in the last 30 days after unauthorized access.

7. See what they touched

Google keeps a log of activity on your account. Review it to understand what the hacker did and when — it tells you which other accounts to worry about in Phase 2. In Gmail itself, scroll to the bottom right and click "Details" under "Last account activity" to see recent sign-ins with IP addresses.

Phase 2 · Same day

Contain the damage

Your Gmail is yours again — but assume the hacker used it while they had it. Anything that resets its password through your email is at risk. Work through your accounts in this order, most damaging first.

8. Check your Tier-1 accounts, in this order

Log into each of these right now and confirm you still can. For each one: change the password, verify the email and phone number on file are yours, and sign out all other sessions if the account offers it.

  1. Other email accounts (Microsoft/Outlook, Yahoo, iCloud, work email) — email accounts are the hub for everything else, so they come first.
  2. Bank & financial accounts — banks often trust a call or text from "your" number and email, which makes them a fast target. Check recent transactions and transfer/payee lists too.
  3. Apple / Microsoft / Google accounts on other devices — the ecosystem accounts that control your phone and computer.
  4. Social media — often used to log into other sites, and used to scam your friends.
  5. Shopping with stored cards (Amazon, PayPal, Venmo) — check for orders and money movement you didn't make.

Can't log into one of them? That account is compromised. Use its password-reset flow (your recovered Gmail now works for this), and go through that service's own account-recovery or fraud process. Then do the seal-off routine below.

9. The seal-off routine (for any compromised account)

For every account the hacker touched, do these four things — quickly, then move to the next account. Don't perfect one account while five others burn:

  1. Regain access — reset the password.
  2. Fix the contact info — make sure the email and phone on the account are yours (hackers swap in their own).
  3. Sign out all sessions — kick out anyone still logged in.
  4. Note it on a list — you'll come back and add two-factor authentication in Phase 3. Don't spend time on that now; speed matters more.

And keep watching your inbox for the next few days: every "your password was changed" email you didn't trigger is the hacker telling you which account to seal off next.

10. Warn your contacts

Check your Sent and Trash folders for messages the hacker sent as you. Hackers love to email your contacts with "I'm stranded, wire me money" scams or malicious links — from your real address, which people trust. A short note to affected contacts ("My email was hacked — if you got a strange message from me, delete it and don't click anything") protects the people around you.

11. Freeze your credit

Assume the hacker saw enough in your email (statements, tax docs, addresses) to try opening credit in your name. Freezing your credit at all three bureaus is free, takes about 15 minutes total, and stops new accounts cold. You can unfreeze anytime you actually need credit. If money was stolen or your identity misused, also file a report at the FTC's identity-theft site — it generates the paperwork banks ask for.

Phase 3 · This week

Lock it down so it never happens again

The emergency is over. Now make yourself a hard target. Two ideas drive everything below: your email and phone number are the hub of your digital identity, and your phone number is the weakest link — because a scammer can take it over without ever touching your phone (a "SIM swap": they convince or bribe a carrier employee to move your number to their SIM, then receive all your security codes). Harden accordingly.

12. Turn on 2-Step Verification — with an authenticator app, not SMS

Two-factor authentication is the single biggest upgrade you can make. But how you receive codes matters: text-message codes can be stolen in a SIM swap. Use an authenticator app (Google Authenticator or similar) that generates codes on your device. Turn this on for Google first, then for every account on the list you made in Step 9. Choose an app that backs up its codes (Google Authenticator can sync to your account) so a lost phone doesn't lock you out.

13. Add passkeys — and consider hardware security keys

Passkeys (built into your phone/computer, unlocked with Face ID or fingerprint) are phishing-proof and free — set one up for Google today. For the strongest protection, buy two hardware security keys (YubiKey or Google Titan, ~$30 each; get NFC models so they tap against your phone). Register both — one to carry, one locked away as backup — on Google, Apple, Microsoft, and any financial account that supports them. If you're a high-value target, look at Google's free Advanced Protection Program, which locks your Google account to your keys/passkeys entirely.

14. Print your backup codes and store them somewhere safe

When you set up two-factor authentication, every service offers backup codes. Print them (paper, not a file on your computer) and store them somewhere genuinely safe — a home safe or safe-deposit box. If you lose your phone or your keys, these codes are often the only way back into your accounts; support lines deliberately can't override strong security. Treat the printed codes like cash: anyone holding them can bypass your security entirely.

15. Get a password manager — one strong, unique password per account

If your Gmail password was reused anywhere else, the hacker already has a master key to those accounts. A password manager (1Password, Bitwarden, or Apple's built-in Passwords app) generates and remembers a unique random password for every site, so one breach can never cascade again. While you're at it, check haveibeenpwned.com to see which breaches your email has appeared in — and change any password you reused.

16. Protect your phone number from SIM swapping

Since your phone number can reset so many accounts, protect the number itself:

  • Turn on your carrier's Number Lock / Port-Out Protection. All major US carriers now offer a free setting that blocks your number from being transferred without extra verification. This is the single best SIM-swap defense — do it today in your carrier's app.
  • Add a PIN/passcode to your carrier account that's required for any account change.
  • Save your carrier's fraud-department number as a contact now. If you're ever swapped, minutes matter — you don't want to be hunting for the number while your accounts fall. (Find it on your carrier's official website or your bill.)
  • Consider a carrier without retail stores (like Google Fi) for your primary number — store employees incentivized to sell phones are the classic SIM-swap weak point.
  • Power users: add a second, unpublished line (eSIM makes this cheap) and use that number for SMS codes on financial accounts. If your public number gets swapped, your sensitive accounts never notice — and you still have a working phone to call for help.

17. Remove your phone number as a recovery method wherever you can

This one surprises people, but it's among the most important: once you have an authenticator app, passkeys, and backup codes, delete your phone number from account recovery on Google and anywhere else that allows it. A recovery phone number is a standing invitation for a SIM-swapper to reset your password. Google lets you remove it entirely once other methods exist. (Apple requires a number on file — use a second line or a trusted family member's number rather than your main one.)

18. Optional: a separate email for your most sensitive accounts

For maximum separation, create one extra email address that you use only for banks and financial accounts — never for shopping, newsletters, or anything public. If your everyday email is ever compromised again, the attacker won't even know where your money lives. Keep this address off your résumé, your business card, and every mailing list.

For the future: the two tells of a SIM swap

Now that your email is hardened, the phone number is the next thing attackers try. You'll know it's happening if:

  1. Your carrier emails you about changes you didn't make — "your number was activated on a new device," the same emails you'd get when buying a new phone. Except you didn't.
  2. Your phone suddenly drops to "SOS" / no service in a place where you'd normally have signal. Your number now rings on someone else's phone.

If either happens: call your carrier's fraud department immediately (the contact you saved in Step 16 — not the general support line), then run Phase 1 and 2 of this guide. Time is everything.

Know someone who just got hacked?

Send them this page — kedlin.com/gmail-hacked. It's free, there's nothing for sale, and the first hour matters most.

Copied