Is your email hacked?
The signs that tell you your email has been compromised, the quick checks that confirm it, and the step-by-step recovery that locks it back down.
If you suspect your email has been hacked, the fastest thing to do is check HaveIBeenPwned to see if it’s in known breaches, then check your email provider’s recent-activity log for unfamiliar sign-ins. If anything looks wrong, change the password immediately, turn on two-factor authentication (authenticator app or hardware key — not SMS), remove any forwarding or filter rules you didn’t create, check other accounts that use the same email, and warn your contacts. Most email compromises come from credential reuse (a breach on one site reused elsewhere) or phishing rather than sophisticated hacking. A password manager plus unique passwords plus 2FA on the email itself blocks most real-world attack paths.
Six signs your email might be compromised
Any one of these warrants a closer look. Two or more together, and you should treat the account as compromised until proven otherwise.
Emails you didn’t send appearing in Sent
The clearest sign. Messages you don’t recognise sitting in your Sent folder, or "Sorry for the spam" replies from contacts.
Password-reset emails for accounts you didn’t request
Someone trying to take over accounts that use your email as the recovery address. Often the first warning before fuller compromise.
Can’t log in with your usual password
The most alarming sign, and often the one that finally prompts action. The attacker has changed the password; you’re locked out.
Unfamiliar sign-in alerts or devices in your account activity
Most providers (Google, Microsoft, Apple) notify you of new device sign-ins. An alert from a country you’ve never been to is a red flag.
Friends report odd messages from your account
Attackers often use a compromised email to send scam messages to your contacts. If people are asking whether you really sent something, take it seriously.
Security settings you didn’t change
Recovery email changed, two-factor authentication disabled, forwarding rules added. Attackers set these up to keep access once you change your password.
Four quick checks
Do these in order. They take about five minutes total and will tell you whether to keep calm or move fast.
Check HaveIBeenPwned
Go to haveibeenpwned.com and enter your email. It’s free, safe, and takes seconds. It tells you whether your email has appeared in any known breach, which gives you a sense of how exposed you already are.
Check your email provider’s activity log
Gmail: go to Google Account > Security > Recent security events. Outlook/Microsoft: account.microsoft.com > Security > Sign-in activity. Apple: appleid.apple.com > Devices. Look for sign-ins from locations, devices, or times you don’t recognise.
Review forwarding and filter rules
A common attacker trick is to set up auto-forwarding from your inbox to their address, or filters that delete password-reset emails before you see them. Check filter/rule settings in your email provider and remove anything you didn’t create.
Check connected apps
In your email account’s Security settings, review the third-party apps and services that have access. Revoke anything unfamiliar.
If the answer is yes
Six steps to lock the account back down. Work through them in order — some depend on the previous one.
Change the password
If you still have access, change it immediately. Use a password manager — Bitwarden, 1Password, Dashlane — to generate a long unique one. If you’ve lost access, use the provider’s account-recovery process.
Turn on two-factor authentication
Non-negotiable. Use an authenticator app (Google Authenticator, Authy) or a hardware key (YubiKey) rather than SMS — SMS is the weakest form of 2FA.
Remove unknown forwarding and filter rules
An attacker who had access may have set up rules to keep receiving your mail after you change the password. Delete anything suspicious.
Check other accounts that use this email
Banking, social media, cloud storage, online shopping. If the email was compromised, the attacker may have used it to request password resets elsewhere. Check activity logs on important accounts.
Warn your contacts
A quick note letting them know you’ve been compromised and to ignore anything odd from your account. Especially if the attacker sent scam messages in your name.
Check financial statements
Look for unauthorised transactions on bank accounts, credit cards, and payment services (PayPal, Stripe, Apple Pay). The window between compromise and fraud can be very short.
After recovery: understanding your exposure
Locking the account back down is the urgent step. The longer-term question is what information about you was already out there — and what a determined attacker could still piece together.
A personal OSINT check on your own email shows you what’s visible across breach databases, social platforms, public records, and the open web. It’s a useful audit: the things you’d want to clean up, the accounts you’d forgotten about, the data points that still circulate. BLACKEYES runs that check from your email address in around fifteen minutes.
Frequently asked questions
How do hackers actually get email passwords?
Most compromises don’t involve sophisticated hacking. The common routes are: credential reuse (you used the same password on another site that got breached), phishing (you entered your password on a fake login page), malware on your device (keyloggers), or password leaks in breaches. Credential reuse is by far the most common — which is why using unique passwords per site, via a password manager, matters.
My email is in HaveIBeenPwned but I can still log in — am I hacked?
Not necessarily. HaveIBeenPwned shows which breaches your email has appeared in; it doesn’t mean your account is currently compromised. But it does mean your credentials have been exposed somewhere, so changing the password on that breached service — and anywhere else using the same password — is the right move.
Should I delete my email account if it’s been hacked?
Usually not. Deleting causes more problems than it solves — you lose history, and any account using this email as recovery will become harder to regain. Better: change the password, enable 2FA, remove the attacker’s access, and carry on. Only delete if you have a fresh account ready and have migrated everything critical.
How do I know if malware is on my device?
Unusual slowness, pop-ups, browser redirects, unknown programs in your task list, or security software disabled. A trusted antivirus or anti-malware scan (Malwarebytes, Microsoft Defender, built-in macOS tools) is the first step. If you suspect your device is compromised, don’t log into sensitive accounts from it until you’ve cleaned it.
What if someone else is using my email to scam my contacts?
If you’ve lost access and the attacker is actively using your account, contact your provider’s support immediately — every major provider has a procedure for this. Warn your contacts through a different channel (phone, another email, social media) that you’ve been compromised.
Does running an OSINT check on my own email help?
It can help you understand what an attacker could piece together about you from your existing digital footprint. That context is useful when assessing how much damage a compromise could do — and what else to lock down. BLACKEYES runs this kind of personal-exposure check from your email and returns a full report.
See what an attacker could piece together
Run a personal OSINT check on your own email. Discover what’s already public, what’s in breach archives, and what’s worth cleaning up.
Reports are tools, not conclusive judgements — verify material findings before reliance. See the FAQ