Account Compromised or Hacked
Finding out your account was accessed by someone else is disorienting. The order in which you respond determines how much damage gets done.
The Sent Folder
Anika opened her email on a Tuesday evening and saw 23 messages in her sent folder that she had not sent.
Each one was addressed to a different contact. Each one asked them to click a link to verify a shared document. The links were phishing pages.
Her contacts had already started clicking. Her colleague had entered her work login. Her mother had entered her bank details. Two other friends had responded asking what the document was for.
Anika's email password was the same one she used for her banking app.
She had received no notification that anyone else had logged in. The attacker had been in her account for eleven hours before she noticed.
What Is Actually Happening
197 days
average time to detect a compromised account.
Most account compromises are discovered by the victim noticing something wrong - not by the platform detecting it.
Source: IBM Cost of a Data Breach Report, 20243 Billion Credentials Exposed in 2024
Over 3 billion credentials were exposed in data breaches in 2024. These credentials are sold on dark web markets and tested against other services automatically. If you reuse passwords, a breach at one site exposes every other site that shares that password.
65% of People Reuse Passwords
65% of people reuse passwords across multiple sites. This is why attackers target low-security sites first - a breach at a forum yields credentials that work on banking apps. Password reuse turns every breach into a potential account takeover everywhere.
354% Increase in Account Takeover Attacks
Account takeover attacks increased by 354% between 2023 and 2024. Email accounts are the highest-value target because they are used to reset every other account, giving attackers a secondary attack surface.
You Are Your Own Best Detector
Platform security systems detect large-scale breaches but often miss individual account takeovers. Unusual login locations, sent messages you did not write, and changed account details are the most common first signals - noticed by the account owner, not the platform.
Immediate Actions - Stop Ongoing Access
Speed matters here. Every minute of delay is another minute the attacker can use your account.
Step 1 - Use a trusted device
Do not use the device that was logged into the compromised account. Use your phone on mobile data, or another person's device. If your device has malware, any password you type on it may be captured.
Step 2 - End all active sessions
Every major platform has a "sign out of all devices" option in security settings. This terminates any open sessions immediately - including the attacker's. Find it before you change the password, because a session can stay open even after a password change on some platforms.
- Gmail: Security > Your devices > Manage devices > sign out all
- Outlook: Security > sign-in activity > terminate sessions
- Facebook: Settings > Security and Login > Where you're logged in > Log out of all sessions
- Apple ID: Settings > your name > scroll to devices > remove each unknown one
Step 3 - Change the password from the trusted device
Use a password that is long, unique to this account, and not used anywhere else. A password manager can generate and store this. Do this after ending sessions, not before - otherwise the attacker's session may persist.
Step 4 - Check recovery options
Attackers frequently change recovery email addresses and phone numbers immediately after gaining access. This is how they lock you out permanently. Go to security settings and check:
- Recovery email address
- Recovery phone number
- Backup codes (regenerate them)
- Any apps with access to the account
Remove anything you did not add.
Assessing What the Attacker Accessed
Once the account is secured, assess what was visible and what may have been taken.
For email accounts:
- Check the sent folder for phishing sent in your name
- Check forwarding rules - attackers often set up forwarding to monitor your inbox even after a password change
- Check what services used this email for sign-in (look for verification emails in your inbox history)
- Check drafts - attackers sometimes draft content for later use
For social media:
- Check posted content, stories, and direct messages sent in your name
- Check connected apps - revoke any you do not recognise
- Check if your profile information was changed
For cloud storage:
- Check download and export history
- Check shared file permissions
- Check if any files were deleted
Securing Linked Accounts
If you used the same password elsewhere, those accounts are also at risk. Change passwords on all accounts that shared the same password, starting with the most sensitive:
- Banking and financial accounts
- Other email accounts
- Work accounts
- Password manager (if affected)
- Social media
Use the account recovery tool below to get a step-by-step sequence for each type.
Notifying Your Contacts
After the account is secured, notify contacts about any phishing sent in your name. Be specific:
- What the message looked like
- What link it contained
- What they should do if they clicked it (change passwords on any account they entered credentials for)
Send this notification from a different channel if possible - a text message, WhatsApp, or a second email account. If your email sent phishing and contacts receive your warning from the same email, some may distrust the warning itself.
Rebuilding Authentication
Once the immediate crisis is resolved, strengthen the account against future attacks.
Two-factor authentication: Enable it on every account using an authenticator app rather than SMS. SMS-based 2FA can be intercepted. Authenticator apps (Google Authenticator, Authy, 1Password) generate codes locally.
Passkeys: Where available, switch to passkeys. Passkeys replace passwords entirely and are phishing-resistant by design.
Login alerts: Enable email or SMS alerts for new sign-ins on every account that offers them.
Password manager: Use one. Every account should have a unique, randomly generated password. A password manager makes this manageable.
Try It: Account Recovery Planner
Select your account type to get a prioritised, step-by-step recovery sequence specific to that platform.
What That Just Showed You
1. The sequence is not obvious - and the wrong order causes more damage. Changing the password before ending sessions means an attacker's active session may persist. Notifying contacts before securing the account means sending from a still-compromised account. Order matters.
2. Email accounts require extra checks that other accounts do not. Forwarding rules and auto-reply settings persist after a password change. An attacker can set up forwarding that continues even after you regain control. This is one of the most commonly missed steps.
3. A password manager is not optional for anyone who uses more than three accounts. The 65% password reuse rate exists because remembering unique passwords for dozens of sites is not realistic without a tool. Password managers eliminate the reuse problem entirely.
4. Recovery options are often the real attack target. Changing your password does not help if the attacker has already changed your recovery email to one they control. Check recovery settings as early as step two, not as an afterthought.
Three Things Worth Doing
-
Go to your email account's security settings right now and check what devices are shown as logged in. Remove anything you do not recognise. Then check your recovery email and phone number are still yours.
-
Check haveibeenpwned.com with your primary email address. If it appears in known breaches, every account that shared that email and password combination is at risk.
-
Enable login alerts on your three most important accounts. Email, banking, and password manager. You should know immediately when someone signs into these accounts from a new device.
One Question Before You Continue
You just discovered your email was compromised. What is the first thing you should do?