If you can no longer recover or sign in to your Gmail account, or if you notice emails in your Sent folder that you did not write, your account has most likely been compromised or hacked. Speed matters here: attackers often use a freshly hacked Gmail account to reset every linked service (banking, social media, work tools) within the first hour.
This guide gets you back in control in under 30 minutes, then locks the account down so it does not happen again.
Step 1: Recover access using the official Google form
Go to accounts.google.com/signin/recovery in a private browser window (no extensions, no autofill). The private window matters because saved logins or cached cookies can interfere with Google’s verification flow.
- Enter the email address of the hacked account.
- Click “Try another way” until you reach the option to “Enter the last password you remember.”
- Type the most recent password you remember, even if you think the attacker changed it. Google uses your password history to verify identity.
- Google sends a verification code to your recovery email or recovery phone number. Enter it.
- If you no longer have access to either recovery method, click “Try another way” again and answer the account-history questions (creation month and year, common contacts, security questions).
- Once verified, Google forces you to set a new password. Use a long passphrase, minimum 16 characters, never reused on any other site.
If Google rejects your recovery attempt, wait 24 hours and try again from the same device on the same Wi-Fi network. Google’s algorithm weights “device and location consistency” heavily.
Step 2: Sign out all other sessions and check active devices
The attacker may still have an active session on their device. To kick them out:
- Open
myaccount.google.com/device-activity. - Review the list of recent devices and locations. Any entry you do not recognize is the attacker’s device.
- Click the suspicious device and then click “Sign out.” This invalidates their session token immediately.
- Repeat for every device in the list that is not yours.
- Go to
myaccount.google.com/securityand scroll to “Your devices.” Confirm only your devices remain.
Step 3: Audit and revoke app permissions
Attackers often add their own app or grant a third-party app access to your data before you regain control. These permissions persist even after you change the password.
- Go to
myaccount.google.com/permissions. - Review every connected app. Remove anything you did not personally authorize.
- Pay special attention to anything labeled “Has access to Gmail” or “Has access to Drive.”
- Also check Filters and Forwarding in Gmail settings (gear icon > See all settings > Filters and Blocked Addresses, then Forwarding and POP/IMAP). Attackers often set a forwarding rule to siphon incoming mail to their own address.
Step 4: Reset passwords on every linked service
Your Gmail address is the recovery email for dozens of accounts. Even if the attacker only had your Gmail for 10 minutes, they may have triggered password resets that are still pending in your inbox. Now that you have access back, work through this list:
| Priority | Service category | Examples |
|---|---|---|
| 🔴 First (now) | Banking + payment | Bank login, PayPal, GCash, Maya, Wise, crypto exchanges |
| 🟠 Within 1 hour | Social + identity | Facebook, Instagram, X, LinkedIn, TikTok |
| 🟡 Within 6 hours | Cloud + work | Dropbox, OneDrive, Slack, Notion, Trello, GitHub |
| 🟢 Within 24 hours | Subscriptions + shopping | Netflix, Spotify, Amazon, Shopee, Lazada, Steam |
Check your Trash and Spam folders for password reset emails from the attacker’s attempts; they may have moved them to hide the activity.
Step 5: Turn on 2-Step Verification (mandatory)
2-Step Verification (2SV, sometimes called 2FA) blocks 99% of automated account takeovers. Even if an attacker steals your new password, they cannot sign in without your phone.
- Go to
myaccount.google.com/signinoptions/two-step-verification. - Click “Get started” and re-enter your password.
- Add your phone number for SMS codes as the fallback method.
- More secure option: add an authenticator app (Google Authenticator, Authy, 1Password) as the primary method. Apps work offline and resist SIM-swap attacks.
- Most secure option: add a physical security key (YubiKey, Google Titan). Hardware keys cannot be phished.
- Generate and save 10 backup codes in a password manager. These let you sign in if you lose your phone.
Step 6: Add a recovery email and phone
Recovery contacts are how Google verifies you next time. Set both:
- Go to
myaccount.google.com/recovery. - Add a recovery email that is on a different provider (Outlook, ProtonMail, Yahoo). This avoids losing both if Gmail is down.
- Add a recovery phone number you control. Avoid VoIP numbers (Google Voice, Skype), they sometimes fail verification.
- Confirm both with the codes Google sends.
Prevention checklist (do this once, never get hacked again)
- ✅ Use a unique 16+ character password for Google (never reused anywhere)
- ✅ Turn on 2-Step Verification with an authenticator app, not SMS
- ✅ Run Google’s Security Checkup quarterly at
myaccount.google.com/security-checkup - ✅ Use a password manager (Bitwarden, 1Password, Proton Pass) so unique passwords are sustainable
- ✅ Never click “sign in with Google” prompts from emails; type the URL yourself
- ✅ Avoid public Wi-Fi when signing in to Google; use a VPN if you must
- ✅ Review device-activity and permissions monthly
- ✅ Set a memorable recovery question only you can answer
Most Gmail compromises in 2026 happen via password reuse, fake “Google security alert” phishing emails, and malicious browser extensions. None of those work if you follow the checklist above.
Frequently Asked Questions
How long does Google take to recover a hacked Gmail account?
If you have access to a recovery phone or recovery email and remember a past password, recovery takes 10-15 minutes. Without those, Google’s manual identity-verification process can take 3-5 business days because they cross-check account history (creation date, common contacts, browsing patterns).
What if I do not have my recovery phone or email anymore?
Use the account history questions instead. Google asks for your account creation month/year, common recipient addresses you email, and security questions you set previously. Answer from the same device and Wi-Fi you used to access the account historically; Google weights location and device fingerprint heavily in manual recovery.
Should I delete a hacked Gmail account?
Only as a last resort. Once you delete a Google account, you lose Drive files, Photos, YouTube history, and the address itself (Google holds the address forever, no one else can re-claim it). Try every recovery step first, and use the Google account specialist support form at support.google.com/accounts if manual recovery fails.
Is SMS 2FA safer than no 2FA at all?
Yes, much safer. SMS 2FA stops 96% of automated bot attacks even though it is vulnerable to SIM-swap attacks targeted at high-value individuals. For most people, SMS 2FA is good enough, and you should add it immediately if you have not. For better protection, switch to an authenticator app (Google Authenticator, Authy) or hardware key (YubiKey).
How do I know if someone is still in my Gmail account right now?
Open Gmail in a browser, scroll to the very bottom of any inbox view, and click the small “Last account activity” link in the lower right. A pop-up shows the last 10 sign-ins with IP addresses and country. If you see any IP you do not recognize, click “Sign out all other sessions” at the top of the same pop-up.
Can I report the person who hacked my Gmail to Google?
Yes. Submit a report at support.google.com/mail/answer/8253 with the IP addresses from your device-activity log. Google does not pursue criminal action directly but flags the attacker’s account for review and may lock it. For financial loss, file a police report in your local jurisdiction and submit the case ID to Google for evidence support.