HackWatch

Recovery guide

How to recover a hacked Gmail account

Gmail is often the master recovery channel for everything else. If it is compromised, attackers can pivot into password resets, financial accounts, cloud storage and identity-sensitive services very quickly.

This guide focuses on what to secure first in Gmail itself, what signs show the attacker is still present and how to contain downstream exposure before it becomes a wider breach problem.

Gmail recovery sequence

  1. Start from Google account recovery using a clean trusted device.
  2. Review recent security activity and unfamiliar devices in your Google account.
  3. Reset the password, remove suspicious app access and rotate backup codes.
  4. Check Gmail filters, forwarding, delegates and mailbox rules for persistence.
  5. Review recovery email, recovery phone and passkey or MFA settings for unauthorized changes.
  6. Secure every high-value account that uses Gmail as its password-reset or notification channel.

Signs Gmail is still exposed

Look for deleted security notifications, forwarding to unknown addresses, new filters, unfamiliar sign-ins, modified recovery settings, unexpected OAuth grants or blocked access to older trusted devices.

Why Gmail recovery comes before everything else

If the attacker still controls the mailbox, they may silently undo resets or intercept recovery codes on every other service tied to that address.

Related next steps