Geslar logo
Geslar
4 min read

Email hacked — what to do (7-step checklist)

Suspect someone broke into your email? Follow these 7 steps in order — the first 24 hours are critical.

Do you recognize these signs?
Your email is likely compromised if:
  • You can no longer sign in (password suddenly stopped working)
  • Contacts get strange messages from you that you didn't send
  • Sent folder has emails you didn't write
  • Forwarding rules exist that you didn't set up
  • You received a notification of sign-in from an unknown location or device
  • Password reset emails appear for services you didn't request
24h
average time to second-stage damage (Verizon DBIR)
60%
of compromised email accounts are used to phish contacts
15 min
enough for an attacker to reset all linked services
1. Change your password immediately — from another device
Critical: If you suspect the attacker still has access, change your password from a different device — phone, borrowed laptop, work computer. Your current device may have a keylogger.
Gmail
myaccount.google.com → Security → Password
Outlook / Hotmail
account.microsoft.com → Security → Change password
Yahoo
login.yahoo.com → Account settings → Change password
iCloud / Apple ID
appleid.apple.com → Sign-in and security → Change password
What to use as the new password? Generate a strong unique one with the Geslar generator (16+ characters, mixed) or a passphrase of 5+ words. Don't use a variation of the old password — attackers often know the old pattern.
2. Check forwarding rules and filters
The most common silent sabotage: an attacker sets a rule to auto-forward all email to their address and delete from your inbox. They see everything that arrives — bank notifications, reset links, OTP codes — and you never find out.
Gmail
Settings → Filters and blocked addresses + Settings → Forwarding and POP/IMAP. Delete any unknown rules.
Outlook
Settings → Mail → Rules + Mail → Forwarding. Also check "Reply-to" address.
3. Reset passwords everywhere your email is linked
Your email is the master key to reset every other password. If the attacker had access for even 15 minutes, they likely already started resets for:
  • Banks and fintech — Revolut, PayPal, Wise, your local bank
  • Social media — Facebook, Instagram, LinkedIn, X
  • Cloud and storage — Google Drive, Dropbox, OneDrive, iCloud
  • Online stores — Amazon, eBay, AliExpress (saved cards!)
  • Any service with "Sign in with email"
Faster way: instead of resetting one by one, open Geslar Vault, export or open the list of all saved passwords, and start with the most important (banks and cards first).
4. Enable 2FA on the email account — now
Without 2FA, even after changing the password, an attacker with device access or a keylogger can get back in. 2FA (two-factor authentication) requires a second step — a code from an app or hardware key — alongside the password.
Most secure: TOTP app
Generates codes offline. No SMS, no SIM swap risk. Try Geslar Authenticator, Aegis (Android), or Raivo (iOS).
Even more secure: Hardware key
YubiKey, Solo, NitroKey. A physical USB/NFC key that can't be phished. ~30€.
Avoid: SMS 2FA
Better than nothing, but vulnerable to SIM swap. If your email only offers SMS, use it temporarily until you can enable TOTP.
5. Review active sessions and sign out other devices
Changing the password doesn't sign out an attacker from devices already logged in. You have to manually terminate all active sessions.
Gmail
myaccount.google.com → Security → "Your devices" → sign out any unknown.
Outlook
account.microsoft.com → Security → Sign-in activity → "Sign me out everywhere".
Also check apps with account access (OAuth tokens). The attacker may have added their own app as "trusted" to bypass the password.
6. Scan devices for malware
If the attacker knew your password before any phishing, they likely got it through a keylogger or infostealer malware. Without cleaning the device, you're just handing them a new password.
Windows
Run Microsoft Defender Offline scan + Malwarebytes Free. Restart in Safe Mode for thorough scanning.
macOS
Less risky but not immune. KnockKnock + Malwarebytes for Mac. Check Login Items and LaunchDaemons.
Android / iOS
Check the app list — remove anything unknown. On Android consider a factory reset if suspicion is strong.
7. Notify contacts and report the incident
Your contacts may have received phishing messages from your account. Send them (through another channel — WhatsApp, SMS, phone) a warning not to open unusual emails from recent days.
Report where relevant:
  • Employer / IT — if it's a work email, notify the IT department immediately. Your account can be the entry point for an attack on the entire company.
  • Bank — if you suspect the attacker accessed bank-related emails, call your bank and check transactions.
  • National CERT — for cyber incident reports in Croatia: cert.hr. In other countries, find your national computer emergency response team.
  • Police — if there's financial damage or identity theft, file a criminal report.
How to prevent it from happening again
Unique password per service
The biggest factor: an attacker with one leaked password tries every service. Geslar Vault generates and remembers a unique one for each.
2FA on all important accounts
Email, banks, social. Geslar Authenticator generates TOTP codes offline.
Regular leak checks
Check whether your data has leaked using the Geslar check. Subscribe to alerts at haveibeenpwned.com.
Related articles
Zero-knowledge architecture
What zero-knowledge architecture means for your passwords — and why Geslar cannot see your data even if it wanted to.
Master password — how to make one you won't forget
Your master password is the single key to all the others. It must be strong, but also memorable to you. Here's how.
Import passwords from Chrome to Geslar
Step-by-step guide to importing your passwords from Chrome into Geslar. Move to a secure local vault in 2 minutes.
Author
Daniel Legin
Daniel Legin builds Geslar — a free password generator and manager made in Croatia.
More about Geslar →