A hacked Gmail account is rarely just an email problem. It is a control-plane problem. If an attacker controls your inbox, they can reset other accounts, intercept verification codes, impersonate you, and keep re-entering even after you change one password.
Rule of thumb: secure the Google Account that controls Gmail first, then remove attacker sessions, then harden recovery so the attacker cannot come back.
Immediate steps (choose the situation)
| Situation | Do this first | Then do this |
|---|---|---|
| You can still sign in | Run Google's Security Checkup from a clean device | Sign out unknown sessions, change password, and strengthen sign-in (passkeys or 2-Step Verification) |
| You cannot sign in | Use Google's official recovery flow | After recovery, revoke sessions and audit forwarding, filters, and connected apps |
| You are getting unexpected prompts or verification codes | Deny prompts and stop clicking links in messages | Treat it as active compromise and follow the full containment steps below |
| Your Google account is Workspace-managed (work email) | Escalate to your admin or IT immediately | Have them reset sessions, review admin logs, and check for mailbox rules and OAuth grants |
For a broader containment sequence across all your accounts, use been hacked: take these steps immediately. For the Google-specific recovery flow, use how to recover a hacked Google account.
1) Use Google's official recovery and security tools
Do not start by changing random passwords across services. Start with the account that resets everything: your Google Account.
- Account recovery (when you cannot sign in): accounts.google.com/signin/recovery
- Google help page for account recovery guidance: Recover your Google Account
- Security Checkup (review devices, third-party access, and sign-in): myaccount.google.com/security-checkup
If you regain access, treat it as temporary until you remove attacker sessions and harden recovery.
2) Remove attacker access (sessions, devices, and connected apps)
Many "re-hacks" are not new hacks. They are old sessions. If the attacker has a session token or a connected app with broad access, password changes may not be enough.
- Review devices signed into the account and sign out anything you do not recognize.
- Review third-party apps and services connected to your Google Account and remove anything you do not actively use.
- Look for changes that indicate persistence: new recovery email, new phone number, or 2-Step Verification changes.
Common mistake: changing the password but ignoring app access and device sessions. That is how attackers return without re-entering credentials.
3) Change your Google password correctly
When you change the password, your goal is to make credential reuse stop working.
- Use a long, unique password stored in a password manager.
- Do not reuse old passwords, and do not use variations of the same password.
- Assume any password used on other sites is exposed and rotate those too.
If you have not already built a password manager habit, start with your inbox and your most important accounts first. That sequence changes outcomes quickly.
4) Strengthen sign-in (passkeys and 2-Step Verification)
Password-only access is brittle under phishing and credential stuffing. Use a stronger factor where possible.
- Enable 2-Step Verification if it is not already enabled: Turn on 2-Step Verification
- Prefer stronger methods when available (passkeys and security keys). Passkeys reduce phishing risk because they are designed to be bound to the legitimate domain. See passkeys for the model and tradeoffs.
5) Audit Gmail-specific persistence (forwarding, filters, delegates)
Inbox compromise often persists through configuration, not just passwords. After you regain control, check for:
- Forwarding addresses you did not add.
- Filters that auto-archive security alerts, invoices, or password reset emails.
- Delegated access or shared mailbox access you did not approve.
These items matter because they let an attacker keep harvesting information and re-enter through recovery flows.
6) Recognize the most common entry paths
Most Gmail compromises are caused by one of these:
- Phishing: signing into a fake Google login page, often through a link in email or SMS.
- Password reuse: an old leaked password reused across accounts.
- Session hijacking: malware or malicious browser extensions stealing session cookies.
- Device compromise: the attacker does not need to "hack Gmail" if they control the device used to sign in.
If you want a practical way to recognize and avoid phishing, use how to identify scam emails. If you suspect malware or session theft, follow your device triage first before re-entering passwords.
7) If you suspect the account is still being accessed
If you keep seeing prompts, password reset emails, or new devices after you "fixed" the account, treat it as persistence:
- Repeat Security Checkup and remove anything you do not recognize.
- Rotate the password again from a different, trusted device.
- Re-check Gmail forwarding and filters.
- Consider whether your browser profile or device is compromised and handle that first.
Google publishes a secure-your-account guide that focuses on the core recovery and hardening steps: Secure a hacked or compromised Google Account.
Gmail recovery is successful when it is treated as a system: identity, sessions, recovery methods, and inbox configuration all together. If you fix only one part, the attacker uses the other parts.
The strategic goal is stability. Once your recovery email and phone are clean, sessions are owned, and sign-in is phishing-resistant, the same attacker behavior collapses into a short event instead of a loop.
From that point forward, your best defense is habit: unique passwords in a manager, strong sign-in, and the discipline to navigate to Google directly instead of signing in from links.
When those habits exist, Gmail stops being a fragile dependency and becomes a controlled asset again.